mirrors/ladybird
0
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-09-15 14:02:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

LibGfx: Actually ensure Cmap subtable offset is within expected range

Browse source 
Our previous check was not sufficient, since it merely checked the
first byte of the EncodingRecord offset is within range, while the
actual read is 4-byte wide.

Fixes ossfuzz-64165.
This commit is contained in:
Idan Horowitz 2023-12-02 11:51:51 +02:00 committed by Andreas Kling
commit e1b438bb1a
Notes: sideshowbarker 2024-07-17 05:03:11 +09:00
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Userland/Libraries/LibGfx/Font/OpenType/Cmap.cpp
View file

@ -68,7 +68,7 @@ Optional<Cmap::Subtable> Cmap::subtable(u32 index) const
return {};
}
u32 record_offset = (u32)Sizes::TableHeader + index * (u32)Sizes::EncodingRecord;
if (record_offset + (u32)Offsets::EncodingRecord_Offset >= m_slice.size())
if (record_offset + (u32)Offsets::EncodingRecord_Offset + sizeof(u32) > m_slice.size())
return {};
u16 platform_id = be_u16(m_slice.offset(record_offset));
u16 encoding_id = be_u16(m_slice.offset(record_offset + (u32)Offsets::EncodingRecord_EncodingID));