ICC: verify validity of data-ranges for ICC tags

Fixing issue #78

diff --git a/babl/babl-icc.c b/babl/babl-icc.c
index fa461cd11b0961dd62858daf72ba9dd277f23f37..3deb29b81ceb8e8df3691e3c156c0592ee87f696 100644 (file)
--- a/babl/babl-icc.c
+++ b/babl/babl-icc.c
@@ -365,6 +365,14 @@ icc_tag (ICC        *state,
           *offset = icc_read (u32, TAG_COUNT_OFF + 4 + 12* t + 4);
         if (el_length)
           *el_length = icc_read (u32, TAG_COUNT_OFF + 4 + 12* t + 4*2);
+
+        if (*offset + *el_length > state->length || *offset < 0)
+        {
+           *offset = 0;
+           *el_length = 0;
+           return 0; // broken input
+        }
+
         return 1;
      }
   }