From 0e20d51b0edc67cb4dd38b625e9dc2e87ed65484 Mon Sep 17 00:00:00 2001
From: Lucas CHOLLET <lucas.chollet@free.fr>
Date: Wed, 6 Mar 2024 22:15:00 -0500
Subject: [PATCH] LibGfx: Prevent overflow when creating CMYKBitmaps

Fixes oss-fuzz issue 66629.
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66629
---
 Userland/Libraries/LibGfx/CMYKBitmap.cpp | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/Userland/Libraries/LibGfx/CMYKBitmap.cpp b/Userland/Libraries/LibGfx/CMYKBitmap.cpp
index bc1822035b0..b052b3c9351 100644
--- a/Userland/Libraries/LibGfx/CMYKBitmap.cpp
+++ b/Userland/Libraries/LibGfx/CMYKBitmap.cpp
@@ -4,6 +4,7 @@
  * SPDX-License-Identifier: BSD-2-Clause
  */
 
+#include <AK/Checked.h>
 #include <LibGfx/CMYKBitmap.h>
 
 namespace Gfx {
@@ -11,7 +12,12 @@ namespace Gfx {
 ErrorOr<NonnullRefPtr<CMYKBitmap>> CMYKBitmap::create_with_size(IntSize const& size)
 {
     VERIFY(size.width() >= 0 && size.height() >= 0);
-    auto data = TRY(ByteBuffer::create_uninitialized(size.width() * size.height() * sizeof(CMYK)));
+    Checked<int> final_size { size.width() };
+    final_size.mul(size.height());
+    final_size.mul(sizeof(CMYK));
+    if (final_size.has_overflow())
+        return Error::from_string_literal("Image dimensions cause an integer overflow");
+    auto data = TRY(ByteBuffer::create_uninitialized(final_size.value()));
     return adopt_ref(*new CMYKBitmap(size, move(data)));
 }