From 607d453049f92539ec164bc3180567bea19c61cd Mon Sep 17 00:00:00 2001
From: =?utf8?q?=C3=98yvind=20Kol=C3=A5s?= <pippin@gimp.org>
Date: Wed, 3 Feb 2021 01:00:16 +0100
Subject: [PATCH] icc: add offset bounds checks to read_sign

---
 babl/babl-icc.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/babl/babl-icc.c b/babl/babl-icc.c
index b5e4269..52a35d2 100644
--- a/babl/babl-icc.c
+++ b/babl/babl-icc.c
@@ -322,6 +322,11 @@ read_sign (ICC *state,
            int  offset)
 {
   sign_t ret;
+  if (offset < 0 || offset > state->length - 4)
+  {
+    for (int i = 0; i < 5; i ++) ret.str[0]=0;
+    return ret;
+  }
   ret.str[0]=icc_read (u8, offset);
   ret.str[1]=icc_read (u8, offset + 1);
   ret.str[2]=icc_read (u8, offset + 2);
@@ -1191,7 +1196,7 @@ babl_space_from_icc (const char   *icc_data,
                 trc_red, trc_green, trc_blue);
 
        babl_free (state);
-       ret->space.icc_length = icc_length;
+       ret->space.icc_length  = icc_length;
        ret->space.icc_profile = malloc (icc_length);
        memcpy (ret->space.icc_profile, icc_data, icc_length);
        return ret;
-- 
2.30.2