From a47f43d4cb3733497163a02bd28d97099a574a5c Mon Sep 17 00:00:00 2001
From: Brian Gianforcaro <bgianf@serenityos.org>
Date: Thu, 23 Dec 2021 02:14:19 -0800
Subject: [PATCH] LibGfx: Harden TTF parsing against fuzzers

Instead of asserting this edge case, bail out instead.

Found by OSS-Fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42653
---
 Userland/Libraries/LibGfx/TrueTypeFont/Cmap.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Userland/Libraries/LibGfx/TrueTypeFont/Cmap.cpp b/Userland/Libraries/LibGfx/TrueTypeFont/Cmap.cpp
index f561d7c9a6..fb03026d47 100644
--- a/Userland/Libraries/LibGfx/TrueTypeFont/Cmap.cpp
+++ b/Userland/Libraries/LibGfx/TrueTypeFont/Cmap.cpp
@@ -69,7 +69,8 @@ Optional<Cmap::Subtable> Cmap::subtable(u32 index) const
     u16 platform_id = be_u16(m_slice.offset_pointer(record_offset));
     u16 encoding_id = be_u16(m_slice.offset_pointer(record_offset + (u32)Offsets::EncodingRecord_EncodingID));
     u32 subtable_offset = be_u32(m_slice.offset_pointer(record_offset + (u32)Offsets::EncodingRecord_Offset));
-    VERIFY(subtable_offset < m_slice.size());
+    if (subtable_offset >= m_slice.size())
+        return {};
     auto subtable_slice = ReadonlyBytes(m_slice.offset_pointer(subtable_offset), m_slice.size() - subtable_offset);
     return Subtable(subtable_slice, platform_id, encoding_id);
 }