[babl] icc: make bounds protection more robust

[Øyvind "pippin" Kolås <ok src gnome org>]

commit 09a2b4668ab10dc18042166641eaf5423ed07ac7
Author: Øyvind Kolås <pippin gimp org>
Date:   Wed Aug 24 13:30:18 2022 +0200

    icc: make bounds protection more robust
    
    Further improvements to issue #78

 babl/babl-icc.c | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)
---
diff --git a/babl/babl-icc.c b/babl/babl-icc.c
index 3deb29b81..38e382a51 100644
--- a/babl/babl-icc.c
+++ b/babl/babl-icc.c
@@ -361,18 +361,23 @@ icc_tag (ICC        *state,
      sign_t sign = icc_read (sign, TAG_COUNT_OFF + 4 + 12 * t);
      if (!strcmp (sign.str, tag))
      {
-        if (offset)
-          *offset = icc_read (u32, TAG_COUNT_OFF + 4 + 12* t + 4);
-        if (el_length)
-          *el_length = icc_read (u32, TAG_COUNT_OFF + 4 + 12* t + 4*2);
+        int off = icc_read (u32, TAG_COUNT_OFF + 4 + 12* t + 4);
+        int len = icc_read (u32, TAG_COUNT_OFF + 4 + 12* t + 4*2);
 
-        if (*offset + *el_length > state->length || *offset < 0)
+        if (off + len > state->length || off < 0)
         {
-           *offset = 0;
-           *el_length = 0;
+          if (offset)
+            *offset = 0;
+          if (el_length)
+            *el_length = 0;
            return 0; // broken input
         }
 
+        if (offset)
+          *offset = off;
+        if (el_length)
+          *el_length = len;
+
         return 1;
      }
   }