mirror of
https://github.com/RGBCube/serenity
synced 2025-07-27 06:27:45 +00:00
LibTTF: Guard against unsigned overflow in TTF table parsing
Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29170
This commit is contained in:
Andreas Kling
parent
688d249b2d
commit
5e95d62ffe
1 changed files with 7 additions and 0 deletions
|
|
@ -25,6 +25,7 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include "AK/ByteBuffer.h"
|
#include "AK/ByteBuffer.h"
|
||||||
|
#include <AK/Checked.h>
|
||||||
#include <AK/LogStream.h>
|
#include <AK/LogStream.h>
|
||||||
#include <AK/Utf32View.h>
|
#include <AK/Utf32View.h>
|
||||||
#include <AK/Utf8View.h>
|
#include <AK/Utf8View.h>
|
||||||
|
|
@ -271,6 +272,12 @@ RefPtr<Font> Font::load_from_offset(ByteBuffer&& buffer, u32 offset)
|
||||||
u32 tag = be_u32(buffer.offset_pointer(record_offset));
|
u32 tag = be_u32(buffer.offset_pointer(record_offset));
|
||||||
u32 table_offset = be_u32(buffer.offset_pointer(record_offset + (u32)Offsets::TableRecord_Offset));
|
u32 table_offset = be_u32(buffer.offset_pointer(record_offset + (u32)Offsets::TableRecord_Offset));
|
||||||
u32 table_length = be_u32(buffer.offset_pointer(record_offset + (u32)Offsets::TableRecord_Length));
|
u32 table_length = be_u32(buffer.offset_pointer(record_offset + (u32)Offsets::TableRecord_Length));
|
||||||
|
|
||||||
|
if (Checked<u32>::addition_would_overflow(table_offset, table_length)) {
|
||||||
|
dbgln("Invalid table offset/length in font.");
|
||||||
|
return nullptr;
|
||||||
|
}
|
||||||
|
|
||||||
if (buffer.size() < table_offset + table_length) {
|
if (buffer.size() < table_offset + table_length) {
|
||||||
dbg() << "Font file too small";
|
dbg() << "Font file too small";
|
||||||
return nullptr;
|
return nullptr;
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue