LibGfx/WOFF2: Ensure numTables is within expected range

An error is now returned if `numTables` is zero or greater than 4096. While this isn't explicitly mentioned in the specification, subsequent calculations will be incorrect if the value falls outside this range.
Author: https://github.com/tcl3 Commit: https://github.com/SerenityOS/serenity/commit/52f78d07b8 Pull-request: https://github.com/SerenityOS/serenity/pull/21593
2024-12-04 05:20:30 +00:00 · 2023-10-25 21:46:50 +01:00 · 2023-10-25 21:46:50 +01:00 · 52f78d07b8 · 2024-07-17 01:28:15 +09:00
commit 52f78d07b8
parent e48b3b39cf
3 changed files with 4 additions and 1 deletions
--- a/Tests/LibGfx/TestWOFF2.cpp
+++ b/Tests/LibGfx/TestWOFF2.cpp
@ -24,7 +24,8 @@ TEST_CASE(tolerate_incorrect_sfnt_size)
 TEST_CASE(malformed_woff2)
 {
    Array test_inputs = {
-        TEST_INPUT("woff2/incorrect_compressed_size.woff2"sv)
+        TEST_INPUT("woff2/incorrect_compressed_size.woff2"sv),
+        TEST_INPUT("woff2/invalid_numtables.woff2"sv)
    };

    for (auto test_input : test_inputs) {
--- a/Tests/LibGfx/test-inputs/woff2/invalid_numtables.woff2
+++ b/Tests/LibGfx/test-inputs/woff2/invalid_numtables.woff2
--- a/Userland/Libraries/LibGfx/Font/WOFF2/Font.cpp
+++ b/Userland/Libraries/LibGfx/Font/WOFF2/Font.cpp
@ -859,6 +859,8 @@ ErrorOr<NonnullRefPtr<Font>> Font::try_load_from_externally_owned_memory(Seekabl
    static constexpr size_t MAX_BUFFER_SIZE = 10 * MiB;
    if (header.length > TRY(stream.size()))
        return Error::from_string_literal("Invalid WOFF length");
+    if (header.num_tables == 0 || header.num_tables > NumericLimits<u16>::max() / 16)
+        return Error::from_string_literal("Invalid WOFF numTables");
    if (header.total_compressed_size > MAX_BUFFER_SIZE)
        return Error::from_string_literal("Compressed font is more than 10 MiB");
    if (header.meta_length == 0 && header.meta_offset != 0)