From 7d5a369ac9a563f7e73bee6fde278aa583f1953a Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Tue, 5 Jan 2021 15:14:29 +0100
Subject: [PATCH] LibGfx: Fail PGM decode if there isn't enough color data in
 image

If we have less pixel color data than we need to fill the image, just
fail the decode.

Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29127
---
 Libraries/LibGfx/PGMLoader.cpp               | 22 +++++++++++++++++++-
 Libraries/LibGfx/PortableImageLoaderCommon.h | 16 --------------
 2 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/Libraries/LibGfx/PGMLoader.cpp b/Libraries/LibGfx/PGMLoader.cpp
index 88f50f5206..122a698a7b 100644
--- a/Libraries/LibGfx/PGMLoader.cpp
+++ b/Libraries/LibGfx/PGMLoader.cpp
@@ -67,6 +67,21 @@ struct PGMLoadingContext {
     RefPtr<Gfx::Bitmap> bitmap;
 };
 
+static void set_adjusted_pixels(PGMLoadingContext& context, const AK::Vector<Gfx::Color>& color_data)
+{
+    size_t index = 0;
+    for (size_t y = 0; y < context.height; ++y) {
+        for (size_t x = 0; x < context.width; ++x) {
+            Color color = color_data.at(index);
+            if (context.max_val < 255) {
+                color = adjust_color(context.max_val, color);
+            }
+            context.bitmap->set_pixel(x, y, color);
+            ++index;
+        }
+    }
+}
+
 static bool read_image_data(PGMLoadingContext& context, Streamer& streamer)
 {
     Vector<Gfx::Color> color_data;
@@ -90,10 +105,15 @@ static bool read_image_data(PGMLoadingContext& context, Streamer& streamer)
         }
     }
 
-    if (!create_bitmap(context)) {
+    size_t context_size = (u32)context.width * (u32)context.height;
+    if (context_size != color_data.size()) {
+        dbgln("Not enough color data in image.");
         return false;
     }
 
+    if (!create_bitmap(context))
+        return false;
+
     set_adjusted_pixels(context, color_data);
 
     context.state = PGMLoadingContext::State::Bitmap;
diff --git a/Libraries/LibGfx/PortableImageLoaderCommon.h b/Libraries/LibGfx/PortableImageLoaderCommon.h
index 63b71ca28e..b5b1c5e91f 100644
--- a/Libraries/LibGfx/PortableImageLoaderCommon.h
+++ b/Libraries/LibGfx/PortableImageLoaderCommon.h
@@ -216,22 +216,6 @@ static bool create_bitmap(TContext& context)
     return true;
 }
 
-template<typename TContext>
-static void set_adjusted_pixels(TContext& context, const AK::Vector<Gfx::Color>& color_data)
-{
-    size_t index = 0;
-    for (size_t y = 0; y < context.height; ++y) {
-        for (size_t x = 0; x < context.width; ++x) {
-            Color color = color_data.at(index);
-            if (context.max_val < 255) {
-                color = adjust_color(context.max_val, color);
-            }
-            context.bitmap->set_pixel(x, y, color);
-            index++;
-        }
-    }
-}
-
 template<typename TContext>
 static void set_pixels(TContext& context, const AK::Vector<Gfx::Color>& color_data)
 {