LibGfx: Harden TTF parsing against fuzzers

Instead of asserting this edge case, bail out instead. Found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42653
author: Brian Gianforcaro <bgianf@serenityos.org> 2021-12-23 02:14:19 -0800
committer: Brian Gianforcaro <b.gianfo@gmail.com> 2021-12-23 17:43:31 -0800
commit: a47f43d4cb3733497163a02bd28d97099a574a5c (patch)
tree: e444b7f32f74efb16d3c266730e8f9b085399b3b
parent: 0a827eaa028e648fb9e42fd02564ab1647a4e190 (diff)
download: serenity-a47f43d4cb3733497163a02bd28d97099a574a5c.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/Userland/Libraries/LibGfx/TrueTypeFont/Cmap.cpp b/Userland/Libraries/LibGfx/TrueTypeFont/Cmap.cpp
index f561d7c9a6..fb03026d47 100644
--- a/Userland/Libraries/LibGfx/TrueTypeFont/Cmap.cpp
+++ b/Userland/Libraries/LibGfx/TrueTypeFont/Cmap.cpp
@@ -69,7 +69,8 @@ Optional<Cmap::Subtable> Cmap::subtable(u32 index) const
     u16 platform_id = be_u16(m_slice.offset_pointer(record_offset));
     u16 encoding_id = be_u16(m_slice.offset_pointer(record_offset + (u32)Offsets::EncodingRecord_EncodingID));
     u32 subtable_offset = be_u32(m_slice.offset_pointer(record_offset + (u32)Offsets::EncodingRecord_Offset));
-    VERIFY(subtable_offset < m_slice.size());
+    if (subtable_offset >= m_slice.size())
+        return {};
     auto subtable_slice = ReadonlyBytes(m_slice.offset_pointer(subtable_offset), m_slice.size() - subtable_offset);
     return Subtable(subtable_slice, platform_id, encoding_id);
 }
author	Brian Gianforcaro <bgianf@serenityos.org>	2021-12-23 02:14:19 -0800
committer	Brian Gianforcaro <b.gianfo@gmail.com>	2021-12-23 17:43:31 -0800
commit	a47f43d4cb3733497163a02bd28d97099a574a5c (patch)
tree	e444b7f32f74efb16d3c266730e8f9b085399b3b
parent	0a827eaa028e648fb9e42fd02564ab1647a4e190 (diff)
download	serenity-a47f43d4cb3733497163a02bd28d97099a574a5c.zip