mirror of
https://github.com/SerenityOS/serenity
synced 2024-10-15 20:33:10 +00:00
LibTTF: Check if the given offset plus offset table size would overflow
If it does overflow, it would think there was enough data to read in table information, when there isn't. This would cause read buffer overflows when reading in the table information. Found by: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29338&sort=-opened&can=1&q=proj%3Aserenity
This commit is contained in:
parent
83c29bd8d7
commit
3e723ec177
|
@ -241,6 +241,11 @@ RefPtr<Font> Font::load_from_memory(ByteBuffer& buffer, unsigned index)
|
|||
// FIXME: "loca" and "glyf" are not available for CFF fonts.
|
||||
RefPtr<Font> Font::load_from_offset(ByteBuffer&& buffer, u32 offset)
|
||||
{
|
||||
if (Checked<u32>::addition_would_overflow(offset, (u32)Sizes::OffsetTable)) {
|
||||
dbgln("Invalid offset in font header");
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
if (buffer.size() < offset + (u32)Sizes::OffsetTable) {
|
||||
dbgln("Font file too small");
|
||||
return nullptr;
|
||||
|
|
Loading…
Reference in a new issue