From 7ee09ca49dcb5e153d053b7e4bf364d0ffd88590 Mon Sep 17 00:00:00 2001
From: Tim Ledbetter <timledbetter@gmail.com>
Date: Mon, 23 Oct 2023 21:32:20 +0100
Subject: [PATCH] LibGfx/WOFF: Avoid overflow in table directory search range

This commit limits `WOFF::Header::num_tables` to 4096. This limitation
is not explicitly mentioned in the specification, but allowing numbers
larger than this results in an overflow when calculating
`search_range` and `range_shift`.
---
 Userland/Libraries/LibGfx/Font/WOFF/Font.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Userland/Libraries/LibGfx/Font/WOFF/Font.cpp b/Userland/Libraries/LibGfx/Font/WOFF/Font.cpp
index f4a0e5befd..bba95149c0 100644
--- a/Userland/Libraries/LibGfx/Font/WOFF/Font.cpp
+++ b/Userland/Libraries/LibGfx/Font/WOFF/Font.cpp
@@ -93,6 +93,8 @@ ErrorOr<NonnullRefPtr<Font>> Font::try_load_from_externally_owned_memory(Readonl
 
     if (header.length > buffer.size())
         return Error::from_string_literal("Invalid WOFF length");
+    if (header.num_tables > NumericLimits<u16>::max() / 16)
+        return Error::from_string_literal("Invalid WOFF numTables");
     if (header.reserved != 0)
         return Error::from_string_literal("Invalid WOFF reserved field");
     if (header.meta_length == 0 && header.meta_offset != 0)