diff options
| author | Andreas Kling <kling@serenityos.org> | 2021-01-05 14:49:09 +0100 |
|---|---|---|
| committer | Andreas Kling <kling@serenityos.org> | 2021-01-05 14:50:17 +0100 |
| commit | 5e95d62ffef98eec2164157174d182d8d8b538a4 (patch) | |
| tree | 8c8ac57a851fa59d621865bd8048f4c2e76d04a0 /Libraries | |
| parent | 688d249b2dad91b3b795a91604a56c8da93b3482 (diff) | |
| download | serenity-5e95d62ffef98eec2164157174d182d8d8b538a4.zip | |
LibTTF: Guard against unsigned overflow in TTF table parsing
Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29170
Diffstat (limited to 'Libraries')
| -rw-r--r-- | Libraries/LibTTF/Font.cpp | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/Libraries/LibTTF/Font.cpp b/Libraries/LibTTF/Font.cpp index 69b3d1ee07..0e514b7be1 100644 --- a/Libraries/LibTTF/Font.cpp +++ b/Libraries/LibTTF/Font.cpp @@ -25,6 +25,7 @@ */ #include "AK/ByteBuffer.h" +#include <AK/Checked.h> #include <AK/LogStream.h> #include <AK/Utf32View.h> #include <AK/Utf8View.h> @@ -271,6 +272,12 @@ RefPtr<Font> Font::load_from_offset(ByteBuffer&& buffer, u32 offset) u32 tag = be_u32(buffer.offset_pointer(record_offset)); u32 table_offset = be_u32(buffer.offset_pointer(record_offset + (u32)Offsets::TableRecord_Offset)); u32 table_length = be_u32(buffer.offset_pointer(record_offset + (u32)Offsets::TableRecord_Length)); + + if (Checked<u32>::addition_would_overflow(table_offset, table_length)) { + dbgln("Invalid table offset/length in font."); + return nullptr; + } + if (buffer.size() < table_offset + table_length) { dbg() << "Font file too small"; return nullptr; |