Check we don't overflow in some calculations

Overflow is undefined behaviour
author: Albert Astals Cid <aacid@kde.org> 2016-09-05 16:10:58 +0200
committer: Albert Astals Cid <aacid@kde.org> 2016-09-05 16:10:58 +0200
commit: 67df1e16d7ae87e8b05c3186063cb925a799790a (patch)
tree: 0b009c050372bf89f9e90933f6e471f5cb5cc0f3
parent: 7024b3c97df1815a4f1c9f677dc05dcf5ee72c3d (diff)
2 files changed, 7 insertions, 2 deletions
diff --git a/fofi/FoFiBase.cc b/fofi/FoFiBase.cc
index 86bafd80..07f81648 100644
--- a/fofi/FoFiBase.cc
+++ b/fofi/FoFiBase.cc
@@ -196,6 +196,8 @@ Guint FoFiBase::getUVarBE(int pos, int size, GBool *ok) {
 
 GBool FoFiBase::checkRegion(int pos, int size) {
   return pos >= 0 &&
+         pos < INT_MAX - size &&
+         size < INT_MAX - pos &&
          pos + size >= pos &&
          pos + size <= len;
 }
diff --git a/fofi/FoFiTrueType.cc b/fofi/FoFiTrueType.cc
index 11699dd6..e914a87e 100644
--- a/fofi/FoFiTrueType.cc
+++ b/fofi/FoFiTrueType.cc
@@ -1359,8 +1359,11 @@ void FoFiTrueType::parse() {
     tables[j].checksum = getU32BE(pos + 4, &parsedOk);
     tables[j].offset = (int)getU32BE(pos + 8, &parsedOk);
     tables[j].len = (int)getU32BE(pos + 12, &parsedOk);
-    if (tables[j].offset + tables[j].len >= tables[j].offset &&
-	tables[j].offset + tables[j].len <= len) {
+    if (unlikely((tables[j].offset < 0) ||
+                 (tables[j].len < 0) ||
+                 (tables[j].offset < INT_MAX - tables[j].len) ||
+                 (tables[j].len > INT_MAX - tables[j].offset) ||
+                 (tables[j].offset + tables[j].len >= tables[j].offset && tables[j].offset + tables[j].len <= len))) {
       // ignore any bogus entries in the table directory
       ++j;
     }
author	Albert Astals Cid <aacid@kde.org>	2016-09-05 16:10:58 +0200
committer	Albert Astals Cid <aacid@kde.org>	2016-09-05 16:10:58 +0200
commit	67df1e16d7ae87e8b05c3186063cb925a799790a (patch)
tree	0b009c050372bf89f9e90933f6e471f5cb5cc0f3
parent	7024b3c97df1815a4f1c9f677dc05dcf5ee72c3d (diff)