RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-26 05:37:35 +00:00
Code Issues Activity Actions

LibGfx/WOFF2: Reject fonts with a compressed size larger than 10MiB

Browse source 
This prevents a potential OOM condition when the header is malformed.
This commit is contained in:
Tim Ledbetter 2023-10-24 07:54:20 +01:00 committed by Andreas Kling
parent af633523af
commit e9be1bcd09
3 changed files with 15 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Userland/Libraries/LibGfx/Font/WOFF2/Font.cpp
View file

@ -859,6 +859,8 @@ ErrorOr<NonnullRefPtr<Font>> Font::try_load_from_externally_owned_memory(Seekabl
static constexpr size_t MAX_BUFFER_SIZE = 10 * MiB;
if (header.length > TRY(stream.size()))
return Error::from_string_literal("Invalid WOFF length");
if (header.total_compressed_size > MAX_BUFFER_SIZE)
return Error::from_string_literal("Compressed font is more than 10 MiB");
if (header.meta_length == 0 && header.meta_offset != 0)
return Error::from_string_literal("Invalid WOFF meta block offset");
if (header.priv_length == 0 && header.priv_offset != 0)