LibTTF: Guard against unsigned overflow in TTF table parsing

Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29170
author: Andreas Kling <kling@serenityos.org> 2021-01-05 14:49:09 +0100
committer: Andreas Kling <kling@serenityos.org> 2021-01-05 14:50:17 +0100
commit: 5e95d62ffef98eec2164157174d182d8d8b538a4 (patch)
tree: 8c8ac57a851fa59d621865bd8048f4c2e76d04a0
parent: 688d249b2dad91b3b795a91604a56c8da93b3482 (diff)
download: serenity-5e95d62ffef98eec2164157174d182d8d8b538a4.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/Libraries/LibTTF/Font.cpp b/Libraries/LibTTF/Font.cpp
index 69b3d1ee07..0e514b7be1 100644
--- a/Libraries/LibTTF/Font.cpp
+++ b/Libraries/LibTTF/Font.cpp
@@ -25,6 +25,7 @@
  */
 
 #include "AK/ByteBuffer.h"
+#include <AK/Checked.h>
 #include <AK/LogStream.h>
 #include <AK/Utf32View.h>
 #include <AK/Utf8View.h>
@@ -271,6 +272,12 @@ RefPtr<Font> Font::load_from_offset(ByteBuffer&& buffer, u32 offset)
         u32 tag = be_u32(buffer.offset_pointer(record_offset));
         u32 table_offset = be_u32(buffer.offset_pointer(record_offset + (u32)Offsets::TableRecord_Offset));
         u32 table_length = be_u32(buffer.offset_pointer(record_offset + (u32)Offsets::TableRecord_Length));
+
+        if (Checked<u32>::addition_would_overflow(table_offset, table_length)) {
+            dbgln("Invalid table offset/length in font.");
+            return nullptr;
+        }
+
         if (buffer.size() < table_offset + table_length) {
             dbg() << "Font file too small";
             return nullptr;
author	Andreas Kling <kling@serenityos.org>	2021-01-05 14:49:09 +0100
committer	Andreas Kling <kling@serenityos.org>	2021-01-05 14:50:17 +0100
commit	5e95d62ffef98eec2164157174d182d8d8b538a4 (patch)
tree	8c8ac57a851fa59d621865bd8048f4c2e76d04a0
parent	688d249b2dad91b3b795a91604a56c8da93b3482 (diff)
download	serenity-5e95d62ffef98eec2164157174d182d8d8b538a4.zip