LibGfx: Fix bounds overflow in JPGLoader

Taotao Gu has been fuzzing serenity libs with their own custom fuzzer. They reported some issues it found privately, this overflow was found in the JPGLoader using that fuzzer. Reported-by: Taotao Gu <gutaotao1995@qq.com>
author: Brian Gianforcaro <bgianf@serenityos.org> 2022-04-16 20:30:06 -0700
committer: Ali Mohammad Pur <Ali.mpfard@gmail.com> 2022-04-17 09:39:48 +0430
commit: 9191829a39c7774d7cb8dfaa5675ff31a49a4a8f (patch)
tree: 48b71910867148a24c210f2288a9cf8498fba0e8
parent: 4ea910d129aa107a9aeb3af67bdc3d77c7b00b04 (diff)
download: serenity-9191829a39c7774d7cb8dfaa5675ff31a49a4a8f.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/Userland/Libraries/LibGfx/JPGLoader.cpp b/Userland/Libraries/LibGfx/JPGLoader.cpp
index 07fb88fb47..08a2db96c4 100644
--- a/Userland/Libraries/LibGfx/JPGLoader.cpp
+++ b/Userland/Libraries/LibGfx/JPGLoader.cpp
@@ -420,6 +420,8 @@ static Optional<Vector<Macroblock>> decode_huffman_stream(JPGLoadingContext& con
 
 static inline bool bounds_okay(const size_t cursor, const size_t delta, const size_t bound)
 {
+    if (Checked<size_t>::addition_would_overflow(delta, cursor))
+        return false;
     return (delta + cursor) < bound;
 }
author	Brian Gianforcaro <bgianf@serenityos.org>	2022-04-16 20:30:06 -0700
committer	Ali Mohammad Pur <Ali.mpfard@gmail.com>	2022-04-17 09:39:48 +0430
commit	9191829a39c7774d7cb8dfaa5675ff31a49a4a8f (patch)
tree	48b71910867148a24c210f2288a9cf8498fba0e8
parent	4ea910d129aa107a9aeb3af67bdc3d77c7b00b04 (diff)
download	serenity-9191829a39c7774d7cb8dfaa5675ff31a49a4a8f.zip