mirror of
https://github.com/RGBCube/serenity
synced 2025-07-27 04:57:45 +00:00
LibGfx: Actually ensure Cmap subtable offset is within expected range
Our previous check was not sufficient, since it merely checked the first byte of the EncodingRecord offset is within range, while the actual read is 4-byte wide. Fixes ossfuzz-64165.
This commit is contained in:
parent
10757b7787
commit
e1b438bb1a
1 changed files with 1 additions and 1 deletions
|
@ -68,7 +68,7 @@ Optional<Cmap::Subtable> Cmap::subtable(u32 index) const
|
||||||
return {};
|
return {};
|
||||||
}
|
}
|
||||||
u32 record_offset = (u32)Sizes::TableHeader + index * (u32)Sizes::EncodingRecord;
|
u32 record_offset = (u32)Sizes::TableHeader + index * (u32)Sizes::EncodingRecord;
|
||||||
if (record_offset + (u32)Offsets::EncodingRecord_Offset >= m_slice.size())
|
if (record_offset + (u32)Offsets::EncodingRecord_Offset + sizeof(u32) > m_slice.size())
|
||||||
return {};
|
return {};
|
||||||
u16 platform_id = be_u16(m_slice.offset(record_offset));
|
u16 platform_id = be_u16(m_slice.offset(record_offset));
|
||||||
u16 encoding_id = be_u16(m_slice.offset(record_offset + (u32)Offsets::EncodingRecord_EncodingID));
|
u16 encoding_id = be_u16(m_slice.offset(record_offset + (u32)Offsets::EncodingRecord_EncodingID));
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue