LibTTF: Check if the given offset plus offset table size would overflow

If it does overflow, it would think there was enough data to read in table information, when there isn't. This would cause read buffer overflows when reading in the table information. Found by: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29338&sort=-opened&can=1&q=proj%3Aserenity
Author: https://github.com/Lubrsi Commit: https://github.com/SerenityOS/serenity/commit/3e723ec1776 Pull-request: https://github.com/SerenityOS/serenity/pull/5232 Reviewed-by: https://github.com/awesomekling
2025-04-22 12:35:14 +00:00 · 2021-02-07 21:10:42 +00:00 · 2021-02-07 21:10:42 +00:00 · 3e723ec177 · 2024-07-18 22:31:21 +09:00
commit 3e723ec177
parent 83c29bd8d7
1 changed files with 5 additions and 0 deletions
--- a/Userland/Libraries/LibTTF/Font.cpp
+++ b/Userland/Libraries/LibTTF/Font.cpp
@ -241,6 +241,11 @@ RefPtr<Font> Font::load_from_memory(ByteBuffer& buffer, unsigned index)
 // FIXME: "loca" and "glyf" are not available for CFF fonts.
 RefPtr<Font> Font::load_from_offset(ByteBuffer&& buffer, u32 offset)
 {
+    if (Checked<u32>::addition_would_overflow(offset, (u32)Sizes::OffsetTable)) {
+        dbgln("Invalid offset in font header");
+        return nullptr;
+    }
+
    if (buffer.size() < offset + (u32)Sizes::OffsetTable) {
        dbgln("Font file too small");
        return nullptr;