Commit 67df1e16 authored by Albert Astals Cid's avatar Albert Astals Cid

Check we don't overflow in some calculations

Overflow is undefined behaviour
parent 7024b3c9
......@@ -196,6 +196,8 @@ Guint FoFiBase::getUVarBE(int pos, int size, GBool *ok) {
GBool FoFiBase::checkRegion(int pos, int size) {
return pos >= 0 &&
pos < INT_MAX - size &&
size < INT_MAX - pos &&
pos + size >= pos &&
pos + size <= len;
}
......@@ -1359,8 +1359,11 @@ void FoFiTrueType::parse() {
tables[j].checksum = getU32BE(pos + 4, &parsedOk);
tables[j].offset = (int)getU32BE(pos + 8, &parsedOk);
tables[j].len = (int)getU32BE(pos + 12, &parsedOk);
if (tables[j].offset + tables[j].len >= tables[j].offset &&
tables[j].offset + tables[j].len <= len) {
if (unlikely((tables[j].offset < 0) ||
(tables[j].len < 0) ||
(tables[j].offset < INT_MAX - tables[j].len) ||
(tables[j].len > INT_MAX - tables[j].offset) ||
(tables[j].offset + tables[j].len >= tables[j].offset && tables[j].offset + tables[j].len <= len))) {
// ignore any bogus entries in the table directory
++j;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment