From e9be1bcd092a91af53777f49e03bd6c4ecf74e17 Mon Sep 17 00:00:00 2001
From: Tim Ledbetter <timledbetter@gmail.com>
Date: Tue, 24 Oct 2023 07:54:20 +0100
Subject: [PATCH] LibGfx/WOFF2: Reject fonts with a compressed size larger than
 10MiB

This prevents a potential OOM condition when the header is malformed.
---
 Tests/LibGfx/TestWOFF2.cpp                        |  13 +++++++++++++
 .../woff2/incorrect_compressed_size.woff2         | Bin 0 -> 640 bytes
 Userland/Libraries/LibGfx/Font/WOFF2/Font.cpp     |   2 ++
 3 files changed, 15 insertions(+)
 create mode 100644 Tests/LibGfx/test-inputs/woff2/incorrect_compressed_size.woff2

diff --git a/Tests/LibGfx/TestWOFF2.cpp b/Tests/LibGfx/TestWOFF2.cpp
index 221ff53110..467f022ffb 100644
--- a/Tests/LibGfx/TestWOFF2.cpp
+++ b/Tests/LibGfx/TestWOFF2.cpp
@@ -20,3 +20,16 @@ TEST_CASE(tolerate_incorrect_sfnt_size)
     EXPECT_EQ(font->family(), "Test"_string);
     EXPECT_EQ(font->glyph_count(), 4u);
 }
+
+TEST_CASE(malformed_woff2)
+{
+    Array test_inputs = {
+        TEST_INPUT("woff2/incorrect_compressed_size.woff2"sv)
+    };
+
+    for (auto test_input : test_inputs) {
+        auto file = MUST(Core::MappedFile::map(test_input));
+        auto font_or_error = WOFF2::Font::try_load_from_externally_owned_memory(file->bytes());
+        EXPECT(font_or_error.is_error());
+    }
+}
diff --git a/Tests/LibGfx/test-inputs/woff2/incorrect_compressed_size.woff2 b/Tests/LibGfx/test-inputs/woff2/incorrect_compressed_size.woff2
new file mode 100644
index 0000000000000000000000000000000000000000..316f55fc8796b50c2eea19ac516ccf45f12c98ae
GIT binary patch
literal 640
zcmXT-cQayOWME)mU}|9C1JSG>{{R2~A0h_gqhfnEw-8?$DH*l|h9)Nt7C{cKnnpHm
zE(S(3CKYA@76sPkD0VIBpDYaXnhTxdy*jQrxwzb1A^rWd^v4f>Z)`8Vzgs&kQ(9@-
z(KU{l6-gOOd@D}t6-pc5fA#(HUU>&)J-!#8nASu{lrhAZSRGT{wsr1~MFkVjt_y#r
zwdU{s*)i->4zOEIzqTQRH|qTIR!y<=?&+-45|mQsRP8QqFVaX$yE(;u?NJSuJ-=lR
z{H}c&X!|EofaQgWM}L!pLa<HBf;)QeALz}Ilh@_%U9^(df#JZt)4TPnLW5V|>Byd9
z&C$@D_OYwWv&%OsB_>~NNlBlX)RoPbE4mso)EEK-7#J996IrLv({^_-kusUEKveXu
z1mlDVC+3Ma?_9hxwLQ1(oA6a<bH3QQ*4yXSe^^`gd3(*-Gxy!4{Zqsl<JhO=?b`O@
zZ}9ZA!?%5}ull*XU}bQMux^6H<9f%!bf*tbE`2<nUUjK^t?bw5JAVuFt>Avz7skr+
z)VNQ5ft~_`gIckJ($0nnQKA6?Ot*h9mQ*(~2tVRzDUoVibX1pRm1I80k}tfBv%a*&
zHl#^@E>XI@f$f+;lx)kQ+pH_LRWw|A#cMM2>;H9WYYkPi^B!iTuE<Ylw%oeYz*VD5
zTzj_U?3uS`AC$NMy6v^Cj+4O#J&P6Dxy<_}9^Mcie*c=wWiF=~R}=ep&g9*jvUGj7
zW?hr&#~>T^`45Dj8T+(;SG`+)XHQXP*w5C<YbIm{9uog{^GXg^p+$70^s0BsPAoq;
d%Ov0VZ}hmJzjChmW<N$LO#uc5A;pz>EC8vj47vaS

literal 0
HcmV?d00001

diff --git a/Userland/Libraries/LibGfx/Font/WOFF2/Font.cpp b/Userland/Libraries/LibGfx/Font/WOFF2/Font.cpp
index f22a894995..ba813a7791 100644
--- a/Userland/Libraries/LibGfx/Font/WOFF2/Font.cpp
+++ b/Userland/Libraries/LibGfx/Font/WOFF2/Font.cpp
@@ -859,6 +859,8 @@ ErrorOr<NonnullRefPtr<Font>> Font::try_load_from_externally_owned_memory(Seekabl
     static constexpr size_t MAX_BUFFER_SIZE = 10 * MiB;
     if (header.length > TRY(stream.size()))
         return Error::from_string_literal("Invalid WOFF length");
+    if (header.total_compressed_size > MAX_BUFFER_SIZE)
+        return Error::from_string_literal("Compressed font is more than 10 MiB");
     if (header.meta_length == 0 && header.meta_offset != 0)
         return Error::from_string_literal("Invalid WOFF meta block offset");
     if (header.priv_length == 0 && header.priv_offset != 0)