diff options
author | Albert Astals Cid <aacid@kde.org> | 2016-09-05 16:10:58 +0200 |
---|---|---|
committer | Albert Astals Cid <aacid@kde.org> | 2016-09-05 16:10:58 +0200 |
commit | 67df1e16d7ae87e8b05c3186063cb925a799790a (patch) | |
tree | 0b009c050372bf89f9e90933f6e471f5cb5cc0f3 /fofi/FoFiTrueType.cc | |
parent | 7024b3c97df1815a4f1c9f677dc05dcf5ee72c3d (diff) |
Check we don't overflow in some calculations
Overflow is undefined behaviour
Diffstat (limited to 'fofi/FoFiTrueType.cc')
-rw-r--r-- | fofi/FoFiTrueType.cc | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/fofi/FoFiTrueType.cc b/fofi/FoFiTrueType.cc index 11699dd6..e914a87e 100644 --- a/fofi/FoFiTrueType.cc +++ b/fofi/FoFiTrueType.cc @@ -1359,8 +1359,11 @@ void FoFiTrueType::parse() { tables[j].checksum = getU32BE(pos + 4, &parsedOk); tables[j].offset = (int)getU32BE(pos + 8, &parsedOk); tables[j].len = (int)getU32BE(pos + 12, &parsedOk); - if (tables[j].offset + tables[j].len >= tables[j].offset && - tables[j].offset + tables[j].len <= len) { + if (unlikely((tables[j].offset < 0) || + (tables[j].len < 0) || + (tables[j].offset < INT_MAX - tables[j].len) || + (tables[j].len > INT_MAX - tables[j].offset) || + (tables[j].offset + tables[j].len >= tables[j].offset && tables[j].offset + tables[j].len <= len))) { // ignore any bogus entries in the table directory ++j; } |