LibGfx: Fix out of bounds read in BitmapFont::masked_character_set()

When creating a copy of the font containing only the glyphs that are in
use, we previously looped over all possible code points, instead of the
range of code points that are actually in use (and allocated) in the
font. This is a problem, since we index into the array of widths to find
out if a given glyph is used. This array is only as long as the number
of glyphs the font was created with, causing an out of bounds read when
that number is less than our maximum.

1 files changed, 2 insertions, 2 deletions

diff --git a/Userland/Libraries/LibGfx/Font/BitmapFont.cpp b/Userland/Libraries/LibGfx/Font/BitmapFont.cpp
index 074d78e720..c165b24864 100644
--- a/Userland/Libraries/LibGfx/Font/BitmapFont.cpp
+++ b/Userland/Libraries/LibGfx/Font/BitmapFont.cpp
@@ -118,7 +118,7 @@ ErrorOr<NonnullRefPtr<BitmapFont>> BitmapFont::masked_character_set() const
     if (!new_range_mask)
         return Error::from_errno(errno);
     u16 new_range_mask_size { 0 };
-    for (size_t i = 0; i < s_max_glyph_count; ++i) {
+    for (size_t i = 0; i < m_glyph_count; ++i) {
         if (m_glyph_widths[i] > 0) {
             new_range_mask[i / 256 / 8] |= 1 << (i / 256 % 8);
             if (i / 256 / 8 + 1 > new_range_mask_size)
@@ -136,7 +136,7 @@ ErrorOr<NonnullRefPtr<BitmapFont>> BitmapFont::masked_character_set() const
     auto* new_widths = static_cast<u8*>(calloc(new_glyph_count, 1));
     if (!new_widths)
         return Error::from_errno(errno);
-    for (size_t i = 0, j = 0; i < s_max_glyph_count; ++i) {
+    for (size_t i = 0, j = 0; i < m_glyph_count; ++i) {
         if (!(new_range_mask[i / 256 / 8] & 1 << (i / 256 % 8))) {
             j++;
             i += 255;