fofi/FoFiTrueType.cc | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-)
New commits: commit 2e8ad35f95965459ebef9a20ba1a98f7fe982e26 Author: Albert Astals Cid <aa...@kde.org> Date: Wed May 12 23:39:14 2021 +0200 FoFiTrueType::cvtSfnts: Protect against integer overflow oss-fuzz/34214 diff --git a/fofi/FoFiTrueType.cc b/fofi/FoFiTrueType.cc index 7a3f8c58..ce592b8c 100644 --- a/fofi/FoFiTrueType.cc +++ b/fofi/FoFiTrueType.cc @@ -1186,9 +1186,15 @@ void FoFiTrueType::cvtSfnts(FoFiOutputFunc outputFunc, void *outputStream, const pos = 0; for (i = 0; i <= nGlyphs; ++i) { locaTable[i].newOffset = pos; - pos += locaTable[i].len; - if (pos & 3) { - pos += 4 - (pos & 3); + + int newPos; + if (unlikely(checkedAdd(pos, locaTable[i].len, &newPos))) { + ok = false; + } else { + pos = newPos; + if (pos & 3) { + pos += 4 - (pos & 3); + } } if (locaTable[i].len > 0) { *maxUsedGlyph = i; _______________________________________________ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler