0ct0pu5/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-12-04 05:20:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

LibGfx/WOFF: Avoid overflow in table directory search range

Browse source 
This commit limits `WOFF::Header::num_tables` to 4096. This limitation
is not explicitly mentioned in the specification, but allowing numbers
larger than this results in an overflow when calculating
`search_range` and `range_shift`.
This commit is contained in:
Tim Ledbetter 2023-10-23 21:32:20 +01:00 committed by Andreas Kling
parent 4c479b0aaa
commit 7ee09ca49d
Notes: sideshowbarker 2024-07-17 09:41:18 +09:00 
Author: https://github.com/tcl3
Commit: https://github.com/SerenityOS/serenity/commit/7ee09ca49d
Pull-request: https://github.com/SerenityOS/serenity/pull/21565
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Userland/Libraries/LibGfx/Font/WOFF/Font.cpp
View file

@ -93,6 +93,8 @@ ErrorOr<NonnullRefPtr<Font>> Font::try_load_from_externally_owned_memory(Readonl
if (header.length > buffer.size())
return Error::from_string_literal("Invalid WOFF length");
if (header.num_tables > NumericLimits<u16>::max() / 16)
return Error::from_string_literal("Invalid WOFF numTables");
if (header.reserved != 0)
return Error::from_string_literal("Invalid WOFF reserved field");
if (header.meta_length == 0 && header.meta_offset != 0)