From c0db95d3dda1865d4c6bf0666b0e7439b40b9bf2 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 21 Apr 2024 20:35:44 +0200
Subject: Merging upstream version 115.10.0esr.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 gfx/ots/src/stat.cc | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

(limited to 'gfx/ots/src/stat.cc')

diff --git a/gfx/ots/src/stat.cc b/gfx/ots/src/stat.cc
index f6f65fdf60..0eeaffb1c6 100644
--- a/gfx/ots/src/stat.cc
+++ b/gfx/ots/src/stat.cc
@@ -48,10 +48,6 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) {
     this->minorVersion = 2;
   }
 
-  if (this->designAxisSize < sizeof(AxisRecord)) {
-    return Drop("Invalid designAxisSize");
-  }
-
   size_t headerEnd = table.offset();
 
   if (this->designAxisCount == 0) {
@@ -60,9 +56,13 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) {
       this->designAxesOffset = 0;
     }
   } else {
+    if (this->designAxisSize < sizeof(AxisRecord)) {
+      return Drop("Invalid designAxisSize");
+    }
     if (this->designAxesOffset < headerEnd ||
-        size_t(this->designAxesOffset) +
-          size_t(this->designAxisCount) * size_t(this->designAxisSize) > length) {
+        size_t(this->designAxesOffset) > length ||
+        size_t(this->designAxisCount) * size_t(this->designAxisSize) >
+          length - size_t(this->designAxesOffset)) {
       return Drop("Invalid designAxesOffset");
     }
   }
@@ -95,8 +95,9 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) {
     }
   } else {
     if (this->offsetToAxisValueOffsets < headerEnd ||
-        size_t(this->offsetToAxisValueOffsets) +
-          size_t(this->axisValueCount) * sizeof(uint16_t) > length) {
+        size_t(this->offsetToAxisValueOffsets) > length ||
+        size_t(this->axisValueCount) * sizeof(uint16_t) >
+          length - size_t(this->offsetToAxisValueOffsets)) {
       return Drop("Invalid offsetToAxisValueOffsets");
     }
   }
@@ -107,7 +108,9 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) {
     if (!table.ReadU16(&axisValueOffset)) {
       return Drop("Failed to read axis value offset");
     }
-    if (this->offsetToAxisValueOffsets + axisValueOffset > length) {
+    // We already checked that offsetToAxisValueOffsets doesn't exceed length,
+    // so this subtraction will not underflow.
+    if (axisValueOffset > length - this->offsetToAxisValueOffsets) {
       return Drop("Invalid axis value offset");
     }
     table.set_offset(this->offsetToAxisValueOffsets + axisValueOffset);
-- 
cgit v1.2.3