From 602f5459bfa3d8acad9627ac8fc7af6b77cf66ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20Offenh=C3=A4user?= Date: Thu, 6 Apr 2023 00:19:06 +0200 Subject: [PATCH] LibGfx: Fix out of bounds read in BitmapFont::masked_character_set() When creating a copy of the font containing only the glyphs that are in use, we previously looped over all possible code points, instead of the range of code points that are actually in use (and allocated) in the font. This is a problem, since we index into the array of widths to find out if a given glyph is used. This array is only as long as the number of glyphs the font was created with, causing an out of bounds read when that number is less than our maximum. --- Userland/Libraries/LibGfx/Font/BitmapFont.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Userland/Libraries/LibGfx/Font/BitmapFont.cpp b/Userland/Libraries/LibGfx/Font/BitmapFont.cpp index 074d78e720..c165b24864 100644 --- a/Userland/Libraries/LibGfx/Font/BitmapFont.cpp +++ b/Userland/Libraries/LibGfx/Font/BitmapFont.cpp @@ -118,7 +118,7 @@ ErrorOr> BitmapFont::masked_character_set() const if (!new_range_mask) return Error::from_errno(errno); u16 new_range_mask_size { 0 }; - for (size_t i = 0; i < s_max_glyph_count; ++i) { + for (size_t i = 0; i < m_glyph_count; ++i) { if (m_glyph_widths[i] > 0) { new_range_mask[i / 256 / 8] |= 1 << (i / 256 % 8); if (i / 256 / 8 + 1 > new_range_mask_size) @@ -136,7 +136,7 @@ ErrorOr> BitmapFont::masked_character_set() const auto* new_widths = static_cast(calloc(new_glyph_count, 1)); if (!new_widths) return Error::from_errno(errno); - for (size_t i = 0, j = 0; i < s_max_glyph_count; ++i) { + for (size_t i = 0, j = 0; i < m_glyph_count; ++i) { if (!(new_range_mask[i / 256 / 8] & 1 << (i / 256 % 8))) { j++; i += 255;