mirror of
https://github.com/RGBCube/serenity
synced 2025-07-25 22:07:35 +00:00
LibGfx/WOFF: Avoid overflow in table directory search range
This commit limits `WOFF::Header::num_tables` to 4096. This limitation is not explicitly mentioned in the specification, but allowing numbers larger than this results in an overflow when calculating `search_range` and `range_shift`.
This commit is contained in:
parent
4c479b0aaa
commit
7ee09ca49d
1 changed files with 2 additions and 0 deletions
|
@ -93,6 +93,8 @@ ErrorOr<NonnullRefPtr<Font>> Font::try_load_from_externally_owned_memory(Readonl
|
|||
|
||||
if (header.length > buffer.size())
|
||||
return Error::from_string_literal("Invalid WOFF length");
|
||||
if (header.num_tables > NumericLimits<u16>::max() / 16)
|
||||
return Error::from_string_literal("Invalid WOFF numTables");
|
||||
if (header.reserved != 0)
|
||||
return Error::from_string_literal("Invalid WOFF reserved field");
|
||||
if (header.meta_length == 0 && header.meta_offset != 0)
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue