From: Øyvind Kolås <pippin@gimp.org>
Date: Wed, 24 Aug 2022 11:30:18 +0000 (+0200)
Subject: icc: make bounds protection more robust
X-Git-Tag: archive/raspbian/1%0.1.106-3+rpi1^2~15^2~1^2~2
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=09a2b4668ab10dc18042166641eaf5423ed07ac7;p=babl.git

icc: make bounds protection more robust

Further improvements to issue #78
---

diff --git a/babl/babl-icc.c b/babl/babl-icc.c
index 3deb29b..38e382a 100644
--- a/babl/babl-icc.c
+++ b/babl/babl-icc.c
@@ -361,18 +361,23 @@ icc_tag (ICC        *state,
      sign_t sign = icc_read (sign, TAG_COUNT_OFF + 4 + 12 * t);
      if (!strcmp (sign.str, tag))
      {
-        if (offset)
-          *offset = icc_read (u32, TAG_COUNT_OFF + 4 + 12* t + 4);
-        if (el_length)
-          *el_length = icc_read (u32, TAG_COUNT_OFF + 4 + 12* t + 4*2);
+        int off = icc_read (u32, TAG_COUNT_OFF + 4 + 12* t + 4);
+        int len = icc_read (u32, TAG_COUNT_OFF + 4 + 12* t + 4*2);
 
-        if (*offset + *el_length > state->length || *offset < 0)
+        if (off + len > state->length || off < 0)
         {
-           *offset = 0;
-           *el_length = 0;
+          if (offset)
+            *offset = 0;
+          if (el_length)
+            *el_length = 0;
            return 0; // broken input
         }
 
+        if (offset)
+          *offset = off;
+        if (el_length)
+          *el_length = len;
+
         return 1;
      }
   }