More careful range checks in STAT parsing.

khaledhosny · Mar 25, 2024 · 91ae931 · 91ae931
1 parent f05dbe6
commit 91ae931
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/src/stat.cc b/src/stat.cc
@@ -60,8 +60,9 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) {
       return Drop("Invalid designAxisSize");
     }
     if (this->designAxesOffset < headerEnd ||
-        size_t(this->designAxesOffset) +
-          size_t(this->designAxisCount) * size_t(this->designAxisSize) > length) {
+        size_t(this->designAxesOffset) > length ||
+        size_t(this->designAxisCount) * size_t(this->designAxisSize) >
+          length - size_t(this->designAxesOffset)) {
       return Drop("Invalid designAxesOffset");
     }
   }
@@ -94,8 +95,9 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) {
     }
   } else {
     if (this->offsetToAxisValueOffsets < headerEnd ||
-        size_t(this->offsetToAxisValueOffsets) +
-          size_t(this->axisValueCount) * sizeof(uint16_t) > length) {
+        size_t(this->offsetToAxisValueOffsets) > length ||
+        size_t(this->axisValueCount) * sizeof(uint16_t) >
+          length - size_t(this->offsetToAxisValueOffsets)) {
       return Drop("Invalid offsetToAxisValueOffsets");
     }
   }
@@ -106,7 +108,9 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) {
     if (!table.ReadU16(&axisValueOffset)) {
       return Drop("Failed to read axis value offset");
     }
-    if (this->offsetToAxisValueOffsets + axisValueOffset > length) {
+    // We already checked that offsetToAxisValueOffsets doesn't exceed length,
+    // so this subtraction will not underflow.
+    if (axisValueOffset > length - this->offsetToAxisValueOffsets) {
       return Drop("Invalid axis value offset");
     }
     table.set_offset(this->offsetToAxisValueOffsets + axisValueOffset);