diff options
author | Albert Astals Cid <aacid@kde.org> | 2021-05-12 23:39:14 +0200 |
---|---|---|
committer | Albert Astals Cid <aacid@kde.org> | 2021-05-12 23:39:14 +0200 |
commit | 2e8ad35f95965459ebef9a20ba1a98f7fe982e26 (patch) | |
tree | f52d0ec6d95925aa0fc9b29e152763cd88e5841e | |
parent | 60eae9d0cfc05bd14f3081e4bb128de868fc5e93 (diff) |
FoFiTrueType::cvtSfnts: Protect against integer overflow
oss-fuzz/34214
-rw-r--r-- | fofi/FoFiTrueType.cc | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/fofi/FoFiTrueType.cc b/fofi/FoFiTrueType.cc index 7a3f8c58..ce592b8c 100644 --- a/fofi/FoFiTrueType.cc +++ b/fofi/FoFiTrueType.cc @@ -1186,9 +1186,15 @@ void FoFiTrueType::cvtSfnts(FoFiOutputFunc outputFunc, void *outputStream, const pos = 0; for (i = 0; i <= nGlyphs; ++i) { locaTable[i].newOffset = pos; - pos += locaTable[i].len; - if (pos & 3) { - pos += 4 - (pos & 3); + + int newPos; + if (unlikely(checkedAdd(pos, locaTable[i].len, &newPos))) { + ok = false; + } else { + pos = newPos; + if (pos & 3) { + pos += 4 - (pos & 3); + } } if (locaTable[i].len > 0) { *maxUsedGlyph = i; |