From 5490d73f31ada6b99d45ebdc85074b0cfc4e5b48 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 1 Oct 2019 11:11:29 +0200
Subject: [PATCH] card: Avoid integer overflows

Resolves:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17007
---
 src/libopensc/card.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/libopensc/card.c b/src/libopensc/card.c
index b5a7901c..3fe274d8 100644
--- a/src/libopensc/card.c
+++ b/src/libopensc/card.c
@@ -28,6 +28,7 @@
 #include <unistd.h>
 #endif
 #include <string.h>
+#include <limits.h>
 
 #include "reader-tr03119.h"
 #include "internal.h"
@@ -655,6 +656,11 @@ int sc_read_binary(sc_card_t *card, unsigned int idx,
 				LOG_TEST_RET(card->ctx, r, "sc_read_binary() failed");
 			}
 			p += r;
+			if ((bytes_read > INT_MAX - r) || idx > UINT_MAX - r) {
+				/* `bytes_read + r` or `idx + r` would overflow */
+				sc_unlock(card);
+				LOG_FUNC_RETURN(card->ctx, SC_ERROR_OFFSET_TOO_LARGE);
+			}
 			idx += r;
 			bytes_read += r;
 			count -= r;