LibGfx/WOFF2: Reject fonts with a compressed size larger than 10MiB

This prevents a potential OOM condition when the header is malformed.
Author: https://github.com/tcl3 Commit: https://github.com/SerenityOS/serenity/commit/e9be1bcd09 Pull-request: https://github.com/SerenityOS/serenity/pull/21567
2024-12-11 17:00:37 +00:00 · 2023-10-24 07:54:20 +01:00 · 2023-10-24 07:54:20 +01:00 · e9be1bcd09 · 2024-07-17 09:49:48 +09:00
commit e9be1bcd09
parent af633523af
3 changed files with 15 additions and 0 deletions
--- a/Tests/LibGfx/TestWOFF2.cpp
+++ b/Tests/LibGfx/TestWOFF2.cpp
@ -20,3 +20,16 @@ TEST_CASE(tolerate_incorrect_sfnt_size)
    EXPECT_EQ(font->family(), "Test"_string);
    EXPECT_EQ(font->glyph_count(), 4u);
 }
+
+TEST_CASE(malformed_woff2)
+{
+    Array test_inputs = {
+        TEST_INPUT("woff2/incorrect_compressed_size.woff2"sv)
+    };
+
+    for (auto test_input : test_inputs) {
+        auto file = MUST(Core::MappedFile::map(test_input));
+        auto font_or_error = WOFF2::Font::try_load_from_externally_owned_memory(file->bytes());
+        EXPECT(font_or_error.is_error());
+    }
+}
--- a/Tests/LibGfx/test-inputs/woff2/incorrect_compressed_size.woff2
+++ b/Tests/LibGfx/test-inputs/woff2/incorrect_compressed_size.woff2
--- a/Userland/Libraries/LibGfx/Font/WOFF2/Font.cpp
+++ b/Userland/Libraries/LibGfx/Font/WOFF2/Font.cpp
@ -859,6 +859,8 @@ ErrorOr<NonnullRefPtr<Font>> Font::try_load_from_externally_owned_memory(Seekabl
    static constexpr size_t MAX_BUFFER_SIZE = 10 * MiB;
    if (header.length > TRY(stream.size()))
        return Error::from_string_literal("Invalid WOFF length");
+    if (header.total_compressed_size > MAX_BUFFER_SIZE)
+        return Error::from_string_literal("Compressed font is more than 10 MiB");
    if (header.meta_length == 0 && header.meta_offset != 0)
        return Error::from_string_literal("Invalid WOFF meta block offset");
    if (header.priv_length == 0 && header.priv_offset != 0)