LibGfx: Let ICC code validate tag data alignment

Both when reading the main tag table and when reading embedded
curve data in lutAToBType or lutBToAType.

2 files changed, 8 insertions, 0 deletions

diff --git a/Userland/Libraries/LibGfx/ICC/Profile.cpp b/Userland/Libraries/LibGfx/ICC/Profile.cpp
index e85869ab28..92f964c121 100644
--- a/Userland/Libraries/LibGfx/ICC/Profile.cpp
+++ b/Userland/Libraries/LibGfx/ICC/Profile.cpp
@@ -558,6 +558,10 @@ ErrorOr<void> Profile::read_header(ReadonlyBytes bytes)
 
 ErrorOr<NonnullRefPtr<TagData>> Profile::read_tag(ReadonlyBytes bytes, u32 offset_to_beginning_of_tag_data_element, u32 size_of_tag_data_element)
 {
+    // "All tag data elements shall start on a 4-byte boundary (relative to the start of the profile data stream)"
+    if (offset_to_beginning_of_tag_data_element % 4 != 0)
+        return Error::from_string_literal("ICC::Profile: Tag data not aligned");
+
     if (offset_to_beginning_of_tag_data_element + size_of_tag_data_element > bytes.size())
         return Error::from_string_literal("ICC::Profile: Tag data out of bounds");
 
diff --git a/Userland/Libraries/LibGfx/ICC/TagTypes.cpp b/Userland/Libraries/LibGfx/ICC/TagTypes.cpp
index abc70d0356..978e41791a 100644
--- a/Userland/Libraries/LibGfx/ICC/TagTypes.cpp
+++ b/Userland/Libraries/LibGfx/ICC/TagTypes.cpp
@@ -382,6 +382,10 @@ static ErrorOr<CLUTData> read_clut_data(ReadonlyBytes bytes, AdvancedLUTHeader c
 
 static ErrorOr<LutCurveType> read_curve(ReadonlyBytes bytes, u32 offset)
 {
+    // "All tag data elements shall start on a 4-byte boundary (relative to the start of the profile data stream)"
+    if (offset % 4 != 0)
+        return Error::from_string_literal("ICC::Profile: lut curve data not aligned");
+
     // See read_curves() below.
     if (offset + sizeof(u32) > bytes.size())
         return Error::from_string_literal("ICC::Profile: not enough data for lut curve type");