Introduce greallocn_checkoverflow and use it in FoFiTrueType::parse

Fixes the other part of bug 17811

3 files changed, 24 insertions, 2 deletions

diff --git a/fofi/FoFiTrueType.cc b/fofi/FoFiTrueType.cc
index 8502f241..60906aef 100644
--- a/fofi/FoFiTrueType.cc
+++ b/fofi/FoFiTrueType.cc
@@ -1908,8 +1908,8 @@ void FoFiTrueType::parse() {
     pos += 16;
   }
   nTables -= wrongTables;
-  tables = (TrueTypeTable *)greallocn(tables, nTables, sizeof(TrueTypeTable));
-  if (!parsedOk) {
+  tables = (TrueTypeTable *)greallocn_checkoverflow(tables, nTables, sizeof(TrueTypeTable));
+  if (!parsedOk || tables == NULL) {
     return;
   }
 
diff --git a/goo/gmem.cc b/goo/gmem.cc
index a64ddb4a..2a638dea 100644
--- a/goo/gmem.cc
+++ b/goo/gmem.cc
@@ -227,6 +227,27 @@ void *greallocn(void *p, int nObjs, int objSize) GMEM_EXCEP {
   return grealloc(p, n);
 }
 
+void *greallocn_checkoverflow(void *p, int nObjs, int objSize) GMEM_EXCEP {
+  int n;
+
+  if (nObjs == 0) {
+    if (p) {
+      gfree(p);
+    }
+    return NULL;
+  }
+  n = nObjs * objSize;
+  if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {
+#if USE_EXCEPTIONS
+    throw GMemException();
+#else
+    fprintf(stderr, "Bogus memory allocation size\n");
+    return NULL;
+#endif
+  }
+  return grealloc(p, n);
+}
+
 void gfree(void *p) {
 #ifdef DEBUG_MEM
   int size;
diff --git a/goo/gmem.h b/goo/gmem.h
index 760cadc7..ff9b24dd 100644
--- a/goo/gmem.h
+++ b/goo/gmem.h
@@ -71,6 +71,7 @@ extern void *grealloc(void *p, size_t size) GMEM_EXCEP;
 extern void *gmallocn(int nObjs, int objSize) GMEM_EXCEP;
 extern void *gmallocn_checkoverflow(int nObjs, int objSize) GMEM_EXCEP;
 extern void *greallocn(void *p, int nObjs, int objSize) GMEM_EXCEP;
+extern void *greallocn_checkoverflow(void *p, int nObjs, int objSize) GMEM_EXCEP;
 
 /*
  * Same as free, but checks for and ignores NULL pointers.