Bug 1725742. Validate tag offsets upfront to avoid weird overflow situations later on. r=aosmond
authorJeff Muizelaar <jmuizelaar@mozilla.com>
Thu, 19 Aug 2021 16:33:03 +0000
changeset 589352 56c0e8e558e65cdb96cc8c953fddfb36c16b9ef0
parent 589351 0a75a7e15cca1fba037d116c4aa166fd890be592
child 589353 57c5259febbde85293185d2e55c23b59eaf4f4ac
push id148297
push userjmuizelaar@mozilla.com
push dateThu, 19 Aug 2021 17:17:29 +0000
treeherderautoland@56c0e8e558e6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersaosmond
bugs1725742
milestone93.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1725742. Validate tag offsets upfront to avoid weird overflow situations later on. r=aosmond Differential Revision: https://phabricator.services.mozilla.com/D122856
gfx/qcms/src/iccread.rs
--- a/gfx/qcms/src/iccread.rs
+++ b/gfx/qcms/src/iccread.rs
@@ -332,20 +332,25 @@ fn read_pcs(mut profile: &mut Profile, m
 fn read_tag_table(_profile: &mut Profile, mem: &mut MemSource) -> Vec<Tag> {
     let count = read_u32(mem, 128);
     if count > MAX_TAG_COUNT {
         invalid_source(mem, "max number of tags exceeded");
         return Vec::new();
     }
     let mut index = Vec::with_capacity(count as usize);
     for i in 0..count {
+        let tag_start = (128 + 4 + 4 * i * 3) as usize;
+        let offset = read_u32(mem, tag_start + 4);
+        if offset as usize > mem.buf.len() {
+            invalid_source(mem, "tag points beyond the end of the buffer");
+        }
         index.push(Tag {
-            signature: read_u32(mem, (128 + 4 + 4 * i * 3) as usize),
-            offset: read_u32(mem, (128 + 4 + 4 * i * 3 + 4) as usize),
-            size: read_u32(mem, (128 + 4 + 4 * i * 3 + 8) as usize),
+            signature: read_u32(mem, tag_start),
+            offset,
+            size: read_u32(mem, tag_start + 8),
         });
     }
 
     index
 }
 
 /// Checks a profile for obvious inconsistencies and returns
 /// true if the profile looks bogus and should probably be