RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-26 05:07:35 +00:00
Code Issues Activity Actions

LibGfx/TinyVG: Avoid OOM if header contains a bogus color table size

Browse source 
This change limits the amount of memory that is initially allocated for
the color table. This prevents an OOM condition if the file contains an
incorrect color table size.
This commit is contained in:
Tim Ledbetter 2023-10-31 18:16:27 +00:00 committed by Andreas Kling
parent 1ede4f249d
commit aa54007943
3 changed files with 22 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

13
Userland/Libraries/LibGfx/ImageFormats/TinyVGLoader.cpp
View file

@ -127,11 +127,14 @@ static ErrorOr<TinyVGHeader> decode_tinyvg_header(Stream& stream)
return header;
}
static ErrorOr<FixedArray<Color>> decode_color_table(Stream& stream, ColorEncoding encoding, u32 color_count)
static ErrorOr<Vector<Color>> decode_color_table(Stream& stream, ColorEncoding encoding, u32 color_count)
{
if (encoding == ColorEncoding::Custom)
return Error::from_string_literal("Invalid TinyVG: Unsupported color encoding");
auto color_table = TRY(FixedArray<Color>::create(color_count));
static constexpr size_t MAX_INITIAL_COLOR_TABLE_SIZE = 65536;
Vector<Color> color_table;
TRY(color_table.try_ensure_capacity(min(MAX_INITIAL_COLOR_TABLE_SIZE, color_count)));
auto parse_color = [&]() -> ErrorOr<Color> {
switch (encoding) {
case ColorEncoding::RGBA8888: {
@ -157,8 +160,8 @@ static ErrorOr<FixedArray<Color>> decode_color_table(Stream& stream, ColorEncodi
return Error::from_string_literal("Invalid TinyVG: Bad color encoding");
}
};
for (auto& color : color_table) {
color = TRY(parse_color());
while (color_count-- > 0) {
TRY(color_table.try_append(TRY(parse_color())));
}
return color_table;
}
@ -357,7 +360,7 @@ ErrorOr<NonnullRefPtr<TinyVGDecodedImageData>> TinyVGDecodedImageData::decode(St
if (header.version != 1)
return Error::from_string_literal("Invalid TinyVG: Unsupported version");
auto color_table = TRY(decode_color_table(stream, header.color_encoding, header.color_count));
auto const& color_table = TRY(decode_color_table(stream, header.color_encoding, header.color_count));
TinyVGReader reader { stream, header, color_table.span() };
auto rectangle_to_path = [](FloatRect const& rect) -> Path {