From 52f78d07b85b884709508c859ea120e4a1fb025a Mon Sep 17 00:00:00 2001
From: Tim Ledbetter <timledbetter@gmail.com>
Date: Wed, 25 Oct 2023 21:46:50 +0100
Subject: [PATCH] LibGfx/WOFF2: Ensure `numTables` is within expected range

An error is now returned if `numTables` is zero or greater than 4096.
While this isn't explicitly mentioned in the specification, subsequent
calculations will be incorrect if the value falls outside this range.
---
 Tests/LibGfx/TestWOFF2.cpp                        |   3 ++-
 .../test-inputs/woff2/invalid_numtables.woff2     | Bin 0 -> 640 bytes
 Userland/Libraries/LibGfx/Font/WOFF2/Font.cpp     |   2 ++
 3 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 Tests/LibGfx/test-inputs/woff2/invalid_numtables.woff2

diff --git a/Tests/LibGfx/TestWOFF2.cpp b/Tests/LibGfx/TestWOFF2.cpp
index 467f022ffb..2cc2b2c067 100644
--- a/Tests/LibGfx/TestWOFF2.cpp
+++ b/Tests/LibGfx/TestWOFF2.cpp
@@ -24,7 +24,8 @@ TEST_CASE(tolerate_incorrect_sfnt_size)
 TEST_CASE(malformed_woff2)
 {
     Array test_inputs = {
-        TEST_INPUT("woff2/incorrect_compressed_size.woff2"sv)
+        TEST_INPUT("woff2/incorrect_compressed_size.woff2"sv),
+        TEST_INPUT("woff2/invalid_numtables.woff2"sv)
     };
 
     for (auto test_input : test_inputs) {
diff --git a/Tests/LibGfx/test-inputs/woff2/invalid_numtables.woff2 b/Tests/LibGfx/test-inputs/woff2/invalid_numtables.woff2
new file mode 100644
index 0000000000000000000000000000000000000000..4b37db4f15cbe93042d9a0c9b2a2e2992aa8e0b1
GIT binary patch
literal 640
zcmXT-cQayOWME)mU}|UpQ4Fjf7#NteA!1+w6vE!kEyPzwN`@_gp~;DZMUaE5rjd=C
zi-FOMNrhQ}MS-<Bid{?kCkw;8=0fLqua0X@E-p7$NPj;q{qe)!8{3QT@77MslvbK{
zbd6(XMN-BR--^?Eh0@0NUwyy4SKdKckMG4NrZo`~WehPUR>xGgZJoPgQNhHs>%yOD
zt@*oub`1NJ1MF7QuWiWSjXJ-)RZ}dzdphg11f|qDRlAGZi!{>GZccGudsKsE&u^In
zziVFx+WtutV0mHU(ck2t5NwmO;Evw=2YPel<aPOb7p>%VU^sB^^ltsC(BRc~I<lu&
zb2K!keeCM;?DCCDiOCmRQqpH8b!GGAimrwXHHN?d1_s93MAqr^wA~#{q)a9(5EZ>E
z!8jqpiFxA9I~T7^ZO?7{CVbV|oG*5+_4c{-AJ&$A-d=O|%zbxh{}ge?IQD6IySBaf
z8$3Pj@NM7gt9~voSQ(rmteYV5xZbfa-RZ-VOCOJ?S6%8}EBp2N&fmg(E4ZKbg|V_c
zHSSYipr^p#pjPalw6kGClxTne)9oLOCDn}#!jCvwN~9VW9o1!7C7I8$<O?t3tS@b`
z4QY~}OO$SJU^^xdCEK#-HtULQ6%AKj@tVy1`hQ*8T0_<ByoVX7EAkVXEw}D8aMkD%
z*Pbmod*<!g2j%U*ZhLL3<7BWw&tgS(F7v*Lhd0EB-@oQ^nagR$)x`dtGkN!>EM4EN
zS=XfcF~~-J{sZA>#y+jzRqvMH*;AAm_Oo^JnhBYKhs3|#ypqFJXb~MLz3N@E6U$G|
dGRb%T8$B-QubgYX*^g05Q-Fa%NO5Hz3jmD^30(jH

literal 0
HcmV?d00001

diff --git a/Userland/Libraries/LibGfx/Font/WOFF2/Font.cpp b/Userland/Libraries/LibGfx/Font/WOFF2/Font.cpp
index ba813a7791..fd24061e16 100644
--- a/Userland/Libraries/LibGfx/Font/WOFF2/Font.cpp
+++ b/Userland/Libraries/LibGfx/Font/WOFF2/Font.cpp
@@ -859,6 +859,8 @@ ErrorOr<NonnullRefPtr<Font>> Font::try_load_from_externally_owned_memory(Seekabl
     static constexpr size_t MAX_BUFFER_SIZE = 10 * MiB;
     if (header.length > TRY(stream.size()))
         return Error::from_string_literal("Invalid WOFF length");
+    if (header.num_tables == 0 || header.num_tables > NumericLimits<u16>::max() / 16)
+        return Error::from_string_literal("Invalid WOFF numTables");
     if (header.total_compressed_size > MAX_BUFFER_SIZE)
         return Error::from_string_literal("Compressed font is more than 10 MiB");
     if (header.meta_length == 0 && header.meta_offset != 0)