RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 22:07:35 +00:00
Code Issues Activity Actions

LibGfx/WOFF: Avoid overflow in table directory search range

Browse source 
This commit limits `WOFF::Header::num_tables` to 4096. This limitation
is not explicitly mentioned in the specification, but allowing numbers
larger than this results in an overflow when calculating
`search_range` and `range_shift`.
This commit is contained in:
Tim Ledbetter 2023-10-23 21:32:20 +01:00 committed by Andreas Kling
parent 4c479b0aaa
commit 7ee09ca49d
1 changed files with 2 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Userland/Libraries/LibGfx/Font/WOFF/Font.cpp
View file

@ -93,6 +93,8 @@ ErrorOr<NonnullRefPtr<Font>> Font::try_load_from_externally_owned_memory(Readonl
if (header.length > buffer.size())
return Error::from_string_literal("Invalid WOFF length");
if (header.num_tables > NumericLimits<u16>::max() / 16)
return Error::from_string_literal("Invalid WOFF numTables");
if (header.reserved != 0)
return Error::from_string_literal("Invalid WOFF reserved field");
if (header.meta_length == 0 && header.meta_offset != 0)