Bug 1874489 - patch 3 - More careful range checks in STAT parsing. a=RyanVM

Original Revision: https://phabricator.services.mozilla.com/D204918

Differential Revision: https://phabricator.services.mozilla.com/D206179

gfx/ots/src/stat.cc

@@ -60,8 +60,9 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) {
       return Drop("Invalid designAxisSize");
     }
     if (this->designAxesOffset < headerEnd ||
-        size_t(this->designAxesOffset) +
-          size_t(this->designAxisCount) * size_t(this->designAxisSize) > length) {
+        size_t(this->designAxesOffset) > length ||
+        size_t(this->designAxisCount) * size_t(this->designAxisSize) >
+          length - size_t(this->designAxesOffset)) {
       return Drop("Invalid designAxesOffset");
     }
   }
@@ -94,8 +95,9 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) {
     }
   } else {
     if (this->offsetToAxisValueOffsets < headerEnd ||
-        size_t(this->offsetToAxisValueOffsets) +
-          size_t(this->axisValueCount) * sizeof(uint16_t) > length) {
+        size_t(this->offsetToAxisValueOffsets) > length ||
+        size_t(this->axisValueCount) * sizeof(uint16_t) >
+          length - size_t(this->offsetToAxisValueOffsets)) {
       return Drop("Invalid offsetToAxisValueOffsets");
     }
   }
@@ -106,7 +108,9 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) {
     if (!table.ReadU16(&axisValueOffset)) {
       return Drop("Failed to read axis value offset");
     }
-    if (this->offsetToAxisValueOffsets + axisValueOffset > length) {
+    // We already checked that offsetToAxisValueOffsets doesn't exceed length,
+    // so this subtraction will not underflow.
+    if (axisValueOffset > length - this->offsetToAxisValueOffsets) {
       return Drop("Invalid axis value offset");
     }
     table.set_offset(this->offsetToAxisValueOffsets + axisValueOffset);