From 9191829a39c7774d7cb8dfaa5675ff31a49a4a8f Mon Sep 17 00:00:00 2001
From: Brian Gianforcaro <bgianf@serenityos.org>
Date: Sat, 16 Apr 2022 20:30:06 -0700
Subject: [PATCH] LibGfx: Fix bounds overflow in JPGLoader

Taotao Gu has been fuzzing serenity libs with their own custom fuzzer.
They reported some issues it found privately, this overflow was found
in the JPGLoader using that fuzzer.

Reported-by: Taotao Gu <gutaotao1995@qq.com>
---
 Userland/Libraries/LibGfx/JPGLoader.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Userland/Libraries/LibGfx/JPGLoader.cpp b/Userland/Libraries/LibGfx/JPGLoader.cpp
index 07fb88fb47..08a2db96c4 100644
--- a/Userland/Libraries/LibGfx/JPGLoader.cpp
+++ b/Userland/Libraries/LibGfx/JPGLoader.cpp
@@ -420,6 +420,8 @@ static Optional<Vector<Macroblock>> decode_huffman_stream(JPGLoadingContext& con
 
 static inline bool bounds_okay(const size_t cursor, const size_t delta, const size_t bound)
 {
+    if (Checked<size_t>::addition_would_overflow(delta, cursor))
+        return false;
     return (delta + cursor) < bound;
 }