RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-27 04:27:45 +00:00
Code Issues Activity Actions

LibTTF: Guard against unsigned overflow in TTF table parsing

Browse source 
Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29170
This commit is contained in:
Andreas Kling 2021-01-05 14:49:09 +01:00
parent 688d249b2d
commit 5e95d62ffe
1 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
Libraries/LibTTF/Font.cpp
View file

@ -25,6 +25,7 @@
*/
#include "AK/ByteBuffer.h"
#include <AK/Checked.h>
#include <AK/LogStream.h>
#include <AK/Utf32View.h>
#include <AK/Utf8View.h>
@ -271,6 +272,12 @@ RefPtr<Font> Font::load_from_offset(ByteBuffer&& buffer, u32 offset)
u32 tag = be_u32(buffer.offset_pointer(record_offset));
u32 table_offset = be_u32(buffer.offset_pointer(record_offset + (u32)Offsets::TableRecord_Offset));
u32 table_length = be_u32(buffer.offset_pointer(record_offset + (u32)Offsets::TableRecord_Length));
if (Checked<u32>::addition_would_overflow(table_offset, table_length)) {
dbgln("Invalid table offset/length in font.");
return nullptr;
}
if (buffer.size() < table_offset + table_length) {
dbg() << "Font file too small";
return nullptr;