RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 14:28:12 +00:00
Code Issues Activity Actions

LibGfx: Fix out of bounds read in BitmapFont::masked_character_set()

Browse source 
When creating a copy of the font containing only the glyphs that are in
use, we previously looped over all possible code points, instead of the
range of code points that are actually in use (and allocated) in the
font. This is a problem, since we index into the array of widths to find
out if a given glyph is used. This array is only as long as the number
of glyphs the font was created with, causing an out of bounds read when
that number is less than our maximum.
This commit is contained in:
Julian Offenhäuser 2023-04-06 00:19:06 +02:00 committed by Sam Atkins
parent 0c98cde18e
commit 602f5459bf
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Userland/Libraries/LibGfx/Font/BitmapFont.cpp
View file

@ -118,7 +118,7 @@ ErrorOr<NonnullRefPtr<BitmapFont>> BitmapFont::masked_character_set() const
if (!new_range_mask)
return Error::from_errno(errno);
u16 new_range_mask_size { 0 };
for (size_t i = 0; i < s_max_glyph_count; ++i) {
for (size_t i = 0; i < m_glyph_count; ++i) {
if (m_glyph_widths[i] > 0) {
new_range_mask[i / 256 / 8] |= 1 << (i / 256 % 8);
if (i / 256 / 8 + 1 > new_range_mask_size)
@ -136,7 +136,7 @@ ErrorOr<NonnullRefPtr<BitmapFont>> BitmapFont::masked_character_set() const
auto* new_widths = static_cast<u8*>(calloc(new_glyph_count, 1));
if (!new_widths)
return Error::from_errno(errno);
for (size_t i = 0, j = 0; i < s_max_glyph_count; ++i) {
for (size_t i = 0, j = 0; i < m_glyph_count; ++i) {
if (!(new_range_mask[i / 256 / 8] & 1 << (i / 256 % 8))) {
j++;
i += 255;