summaryrefslogtreecommitdiff
path: root/fofi/FoFiTrueType.cc
diff options
context:
space:
mode:
authorAlbert Astals Cid <aacid@kde.org>2016-09-05 16:10:58 +0200
committerAlbert Astals Cid <aacid@kde.org>2016-09-05 16:10:58 +0200
commit67df1e16d7ae87e8b05c3186063cb925a799790a (patch)
tree0b009c050372bf89f9e90933f6e471f5cb5cc0f3 /fofi/FoFiTrueType.cc
parent7024b3c97df1815a4f1c9f677dc05dcf5ee72c3d (diff)
Check we don't overflow in some calculations
Overflow is undefined behaviour
Diffstat (limited to 'fofi/FoFiTrueType.cc')
-rw-r--r--fofi/FoFiTrueType.cc7
1 files changed, 5 insertions, 2 deletions
diff --git a/fofi/FoFiTrueType.cc b/fofi/FoFiTrueType.cc
index 11699dd6..e914a87e 100644
--- a/fofi/FoFiTrueType.cc
+++ b/fofi/FoFiTrueType.cc
@@ -1359,8 +1359,11 @@ void FoFiTrueType::parse() {
tables[j].checksum = getU32BE(pos + 4, &parsedOk);
tables[j].offset = (int)getU32BE(pos + 8, &parsedOk);
tables[j].len = (int)getU32BE(pos + 12, &parsedOk);
- if (tables[j].offset + tables[j].len >= tables[j].offset &&
- tables[j].offset + tables[j].len <= len) {
+ if (unlikely((tables[j].offset < 0) ||
+ (tables[j].len < 0) ||
+ (tables[j].offset < INT_MAX - tables[j].len) ||
+ (tables[j].len > INT_MAX - tables[j].offset) ||
+ (tables[j].offset + tables[j].len >= tables[j].offset && tables[j].offset + tables[j].len <= len))) {
// ignore any bogus entries in the table directory
++j;
}