LibTTF: Check if the given offset plus offset table size would overflow

If it does overflow, it would think there was enough data to read in table information, when there isn't. This would cause read buffer overflows when reading in the table information. Found by: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29338&sort=-opened&can=1&q=proj%3Aserenity
2024-10-15 20:33:10 +00:00 · 2021-02-07 21:10:42 +00:00 · 2021-02-07 21:10:42 +00:00 · 3e723ec177
parent 83c29bd8d7
commit 3e723ec177
1 changed files with 5 additions and 0 deletions
--- a/Userland/Libraries/LibTTF/Font.cpp
+++ b/Userland/Libraries/LibTTF/Font.cpp
@ -241,6 +241,11 @@ RefPtr<Font> Font::load_from_memory(ByteBuffer& buffer, unsigned index)
 // FIXME: "loca" and "glyf" are not available for CFF fonts.
 RefPtr<Font> Font::load_from_offset(ByteBuffer&& buffer, u32 offset)
 {
+    if (Checked<u32>::addition_would_overflow(offset, (u32)Sizes::OffsetTable)) {
+        dbgln("Invalid offset in font header");
+        return nullptr;
+    }
+
    if (buffer.size() < offset + (u32)Sizes::OffsetTable) {
        dbgln("Font file too small");
        return nullptr;