1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-27 04:57:45 +00:00

LibGfx: Actually ensure Cmap subtable offset is within expected range

Our previous check was not sufficient, since it merely checked the
first byte of the EncodingRecord offset is within range, while the
actual read is 4-byte wide.

Fixes ossfuzz-64165.
This commit is contained in:
Idan Horowitz 2023-12-02 11:51:51 +02:00 committed by Andreas Kling
parent 10757b7787
commit e1b438bb1a

View file

@ -68,7 +68,7 @@ Optional<Cmap::Subtable> Cmap::subtable(u32 index) const
return {};
}
u32 record_offset = (u32)Sizes::TableHeader + index * (u32)Sizes::EncodingRecord;
if (record_offset + (u32)Offsets::EncodingRecord_Offset >= m_slice.size())
if (record_offset + (u32)Offsets::EncodingRecord_Offset + sizeof(u32) > m_slice.size())
return {};
u16 platform_id = be_u16(m_slice.offset(record_offset));
u16 encoding_id = be_u16(m_slice.offset(record_offset + (u32)Offsets::EncodingRecord_EncodingID));