RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-10-31 15:42:44 +00:00
Code Issues Activity Actions

LibGfx/ICC: Ensure Macintosh ScriptCode length is within expected range

Browse source 
Previously, it was possible for a `TextDescriptionTagData` object with
an incorrect Macintosh ScriptCode description length to cause a buffer
overflow.
This commit is contained in:
Tim Ledbetter 2023-11-11 11:17:43 +00:00 committed by Andreas Kling
parent 10624a2beb
commit f87d93b4ee
1 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
Userland/Libraries/LibGfx/ICC/TagTypes.cpp
View file

@ -1151,7 +1151,10 @@ ErrorOr<NonnullRefPtr<TextDescriptionTagData>> TextDescriptionTagData::from_byte
u8 macintosh_description_length = *cursor;
cursor += 1;
if (macintosh_description_length > 67)
Checked<u32> macintosh_description_end = unicode_desciption_end;
macintosh_description_end += 3;
macintosh_description_end += macintosh_description_length;
if (macintosh_description_length > 67 || macintosh_description_end.has_overflow() || macintosh_description_end.value() > bytes.size())
return Error::from_string_literal("ICC::Profile: textDescriptionType ScriptCode description too long");
u8 const* macintosh_description_data = cursor;