From 09a2b4668ab10dc18042166641eaf5423ed07ac7 Mon Sep 17 00:00:00 2001
From: =?utf8?q?=C3=98yvind=20Kol=C3=A5s?= <pippin@gimp.org>
Date: Wed, 24 Aug 2022 13:30:18 +0200
Subject: [PATCH] icc: make bounds protection more robust

Further improvements to issue #78
---
 babl/babl-icc.c | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/babl/babl-icc.c b/babl/babl-icc.c
index 3deb29b..38e382a 100644
--- a/babl/babl-icc.c
+++ b/babl/babl-icc.c
@@ -361,18 +361,23 @@ icc_tag (ICC        *state,
      sign_t sign = icc_read (sign, TAG_COUNT_OFF + 4 + 12 * t);
      if (!strcmp (sign.str, tag))
      {
-        if (offset)
-          *offset = icc_read (u32, TAG_COUNT_OFF + 4 + 12* t + 4);
-        if (el_length)
-          *el_length = icc_read (u32, TAG_COUNT_OFF + 4 + 12* t + 4*2);
+        int off = icc_read (u32, TAG_COUNT_OFF + 4 + 12* t + 4);
+        int len = icc_read (u32, TAG_COUNT_OFF + 4 + 12* t + 4*2);
 
-        if (*offset + *el_length > state->length || *offset < 0)
+        if (off + len > state->length || off < 0)
         {
-           *offset = 0;
-           *el_length = 0;
+          if (offset)
+            *offset = 0;
+          if (el_length)
+            *el_length = 0;
            return 0; // broken input
         }
 
+        if (offset)
+          *offset = off;
+        if (el_length)
+          *el_length = len;
+
         return 1;
      }
   }
-- 
2.30.2