[gdk-pixbuf] ico: Fix potential integer overflow

[Bastien Nocera <hadess src gnome org>]

commit dec9ca22d70c0f0d4492333b4e8147afb038afd2
Author: Dhiru Kholia <dhiru kholia gmail com>
Date:   Thu Nov 30 02:36:26 2017 +0100

    ico: Fix potential integer overflow
    
    Which relies on undefined behaviour. Instead of checking for an
    overflowed integer after the fact, check whether the addition would
    be possible at all.
    
    Fixes: CVE-2017-6312
    
    https://bugzilla.gnome.org/show_bug.cgi?id=779012

 gdk-pixbuf/io-ico.c |    9 +++++----
 1 files changed, 5 insertions(+), 4 deletions(-)
---
diff --git a/gdk-pixbuf/io-ico.c b/gdk-pixbuf/io-ico.c
index 8729a0f..a867257 100644
--- a/gdk-pixbuf/io-ico.c
+++ b/gdk-pixbuf/io-ico.c
@@ -333,10 +333,8 @@ static void DecodeHeader(guchar *Data, gint Bytes,
        for (l = State->entries; l != NULL; l = g_list_next (l)) {
                entry = l->data;
 
-               /* We know how many bytes are in the "header" part. */
-               State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;
-
-               if (State->HeaderSize < 0) {
+               /* Avoid invoking undefined behavior in the State->HeaderSize calculation below */
+               if (entry->DIBoffset > G_MAXINT - INFOHEADER_SIZE) {
                        g_set_error (error,
                                     GDK_PIXBUF_ERROR,
                                     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
@@ -344,6 +342,9 @@ static void DecodeHeader(guchar *Data, gint Bytes,
                        return;
                }
 
+               /* We know how many bytes are in the "header" part. */
+               State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;
+
                if (State->HeaderSize>State->BytesInHeaderBuf) {
                        guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize);
                        if (!tmp) {