Add more bounds checks in WritableFontData.

WritableFontData::Slice() needs to do more input validation.
Same for ReadableFontData::Slice().
Same for the equivalent Java code.
Fixes https://crbug.com/642300

4 files changed, 12 insertions, 5 deletions

diff --git a/cpp/src/sfntly/data/readable_font_data.cc b/cpp/src/sfntly/data/readable_font_data.cc
index 0f93fdb..9ffcb00 100644
--- a/cpp/src/sfntly/data/readable_font_data.cc
+++ b/cpp/src/sfntly/data/readable_font_data.cc
@@ -294,7 +294,9 @@ int32_t ReadableFontData::SearchULong(int32_t start_index,
 
 CALLER_ATTACH FontData* ReadableFontData::Slice(int32_t offset,
                                                 int32_t length) {
-  if (offset < 0 || offset + length > Size()) {
+  if (offset < 0 || length < 0 ||
+      offset > std::numeric_limits<int32_t>::max() - length ||
+      offset + length > Size()) {
 #if !defined (SFNTLY_NO_EXCEPTION)
     throw IndexOutOfBoundsException(
         "Attempt to bind data outside of its limits");
diff --git a/cpp/src/sfntly/data/writable_font_data.cc b/cpp/src/sfntly/data/writable_font_data.cc
index 4b3b440..073e9df 100644
--- a/cpp/src/sfntly/data/writable_font_data.cc
+++ b/cpp/src/sfntly/data/writable_font_data.cc
@@ -17,6 +17,7 @@
 #include "sfntly/data/writable_font_data.h"
 
 #include <algorithm>
+#include <limits>
 
 #include "sfntly/data/memory_byte_array.h"
 #include "sfntly/data/growable_memory_byte_array.h"
@@ -167,7 +168,9 @@ void WritableFontData::CopyFrom(InputStream* is) {
 
 CALLER_ATTACH FontData* WritableFontData::Slice(int32_t offset,
                                                 int32_t length) {
-  if (offset < 0 || offset + length > Size()) {
+  if (offset < 0 || length < 0 ||
+      offset > std::numeric_limits<int32_t>::max() - length ||
+      offset + length > Size()) {
 #if !defined (SFNTLY_NO_EXCEPTION)
     throw IndexOutOfBoundsException(
         "Attempt to bind data outside of its limits");
@@ -179,7 +182,7 @@ CALLER_ATTACH FontData* WritableFontData::Slice(int32_t offset,
 }
 
 CALLER_ATTACH FontData* WritableFontData::Slice(int32_t offset) {
-  if (offset > Size()) {
+  if (offset < 0 || offset > Size()) {
 #if !defined (SFNTLY_NO_EXCEPTION)
     throw IndexOutOfBoundsException(
         "Attempt to bind data outside of its limits");
diff --git a/java/src/com/google/typography/font/sfntly/data/ReadableFontData.java b/java/src/com/google/typography/font/sfntly/data/ReadableFontData.java
index 2561703..ad7894c 100644
--- a/java/src/com/google/typography/font/sfntly/data/ReadableFontData.java
+++ b/java/src/com/google/typography/font/sfntly/data/ReadableFontData.java
@@ -150,7 +150,8 @@ public class ReadableFontData extends FontData {
    */
   @Override
   public ReadableFontData slice(int offset, int length) {
-    if (offset < 0 || (offset + length) > this.size()) {
+    if (offset < 0 || length < 0 || offset > Integer.MAX_VALUE - length ||
+        (offset + length) > this.size()) {
       throw new IndexOutOfBoundsException("Attempt to bind data outside of its limits.");
     }
     ReadableFontData slice = new ReadableFontData(this, offset, length);
diff --git a/java/src/com/google/typography/font/sfntly/data/WritableFontData.java b/java/src/com/google/typography/font/sfntly/data/WritableFontData.java
index eb10c78..c828170 100644
--- a/java/src/com/google/typography/font/sfntly/data/WritableFontData.java
+++ b/java/src/com/google/typography/font/sfntly/data/WritableFontData.java
@@ -125,7 +125,8 @@ public final class WritableFontData extends ReadableFontData {
    */
   @Override
   public WritableFontData slice(int offset, int length) {
-    if (offset < 0 || (offset + length) > this.size()) {
+    if (offset < 0 || length < 0 || offset > Integer.MAX_VALUE - length ||
+        (offset + length) > this.size()) {
       throw new IndexOutOfBoundsException("Attempt to bind data outside of its limits.");
     }
     WritableFontData slice = new WritableFontData(this, offset, length);