LibGfx: Fix bounds overflow in JPGLoader

Taotao Gu has been fuzzing serenity libs with their own custom fuzzer. They reported some issues it found privately, this overflow was found in the JPGLoader using that fuzzer. Reported-by: Taotao Gu <gutaotao1995@qq.com>
Author: https://github.com/bgianfo Commit: https://github.com/SerenityOS/serenity/commit/9191829a39 Pull-request: https://github.com/SerenityOS/serenity/pull/13714
2022-04-16 20:30:06 -07:00 · 2022-04-16 20:30:06 -07:00 · 9191829a39 · 2024-07-17 11:46:09 +09:00
commit 9191829a39
parent 4ea910d129
1 changed files with 2 additions and 0 deletions
--- a/Userland/Libraries/LibGfx/JPGLoader.cpp
+++ b/Userland/Libraries/LibGfx/JPGLoader.cpp
@ -420,6 +420,8 @@ static Optional<Vector<Macroblock>> decode_huffman_stream(JPGLoadingContext& con

 static inline bool bounds_okay(const size_t cursor, const size_t delta, const size_t bound)
 {
+    if (Checked<size_t>::addition_would_overflow(delta, cursor))
+        return false;
    return (delta + cursor) < bound;
 }