mirror of
https://github.com/RGBCube/serenity
synced 2025-07-27 04:27:45 +00:00
LibTTF: Guard against unsigned overflow in TTF table parsing
Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29170
This commit is contained in:
parent
688d249b2d
commit
5e95d62ffe
1 changed files with 7 additions and 0 deletions
|
@ -25,6 +25,7 @@
|
|||
*/
|
||||
|
||||
#include "AK/ByteBuffer.h"
|
||||
#include <AK/Checked.h>
|
||||
#include <AK/LogStream.h>
|
||||
#include <AK/Utf32View.h>
|
||||
#include <AK/Utf8View.h>
|
||||
|
@ -271,6 +272,12 @@ RefPtr<Font> Font::load_from_offset(ByteBuffer&& buffer, u32 offset)
|
|||
u32 tag = be_u32(buffer.offset_pointer(record_offset));
|
||||
u32 table_offset = be_u32(buffer.offset_pointer(record_offset + (u32)Offsets::TableRecord_Offset));
|
||||
u32 table_length = be_u32(buffer.offset_pointer(record_offset + (u32)Offsets::TableRecord_Length));
|
||||
|
||||
if (Checked<u32>::addition_would_overflow(table_offset, table_length)) {
|
||||
dbgln("Invalid table offset/length in font.");
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
if (buffer.size() < table_offset + table_length) {
|
||||
dbg() << "Font file too small";
|
||||
return nullptr;
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue