RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-27 23:17:45 +00:00
Code Issues Activity Actions

LibGfx/WOFF2: Ensure numTables is within expected range

Browse source 
An error is now returned if `numTables` is zero or greater than 4096.
While this isn't explicitly mentioned in the specification, subsequent
calculations will be incorrect if the value falls outside this range.
This commit is contained in:
Tim Ledbetter 2023-10-25 21:46:50 +01:00 committed by Andreas Kling
parent e48b3b39cf
commit 52f78d07b8
3 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Userland/Libraries/LibGfx/Font/WOFF2/Font.cpp
View file

@ -859,6 +859,8 @@ ErrorOr<NonnullRefPtr<Font>> Font::try_load_from_externally_owned_memory(Seekabl
static constexpr size_t MAX_BUFFER_SIZE = 10 * MiB;
if (header.length > TRY(stream.size()))
return Error::from_string_literal("Invalid WOFF length");
if (header.num_tables == 0 || header.num_tables > NumericLimits<u16>::max() / 16)
return Error::from_string_literal("Invalid WOFF numTables");
if (header.total_compressed_size > MAX_BUFFER_SIZE)
return Error::from_string_literal("Compressed font is more than 10 MiB");
if (header.meta_length == 0 && header.meta_offset != 0)