From 78066156a1659c4fdb7abb47ff02f338547aca7b Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Fri, 26 Apr 2024 14:54:45 +0200
Subject: [PATCH] Miramon: avoid Unsigned-integer-overflow in
 MMCreateExtendedDBFIndex()

Validate that FirstRecordOffset as computed in
MM_ReadExtendedDBFHeaderFromFile() is not negative. Otherwise it gets
later passed to MMCreateExtendedDBFIndex() which casts it to a uint64_t,
and thus lead to unsigned integer overflow when doing:
```
    fseek_function(f,
                   (MM_FILE_OFFSET)offset_1era +
                       (MM_FILE_OFFSET)bytes_acumulats_id_grafic,
                   SEEK_SET);
```

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68303
---
 ogr/ogrsf_frmts/miramon/mm_gdal_functions.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/ogr/ogrsf_frmts/miramon/mm_gdal_functions.c b/ogr/ogrsf_frmts/miramon/mm_gdal_functions.c
index 0edb01c2ed1a..a7f52941ccf6 100644
--- a/ogr/ogrsf_frmts/miramon/mm_gdal_functions.c
+++ b/ogr/ogrsf_frmts/miramon/mm_gdal_functions.c
@@ -1123,7 +1123,7 @@ int MM_ReadExtendedDBFHeaderFromFile(const char *szFileName,
     FILE_TYPE *pf;
     unsigned short int two_bytes;
     MM_EXT_DBF_N_FIELDS nIField;
-    MM_FIRST_RECORD_OFFSET_TYPE offset_primera_fitxa;
+    uint16_t offset_primera_fitxa;
     MM_FIRST_RECORD_OFFSET_TYPE offset_fals = 0;
     MM_BOOLEAN incoherent_record_size = FALSE;
     MM_BYTE un_byte;
@@ -1268,9 +1268,17 @@ int MM_ReadExtendedDBFHeaderFromFile(const char *szFileName,
         memcpy(&FirstRecordOffsetLow16Bits, &offset_primera_fitxa, 2);
         memcpy(&FirstRecordOffsetHigh16Bits, &pMMBDXP->reserved_2, 2);
 
-        pMMBDXP->FirstRecordOffset =
-            ((GUInt32)FirstRecordOffsetHigh16Bits << 16) |
-            FirstRecordOffsetLow16Bits;
+        GUInt32 nTmp = ((GUInt32)FirstRecordOffsetHigh16Bits << 16) |
+                       FirstRecordOffsetLow16Bits;
+        if (nTmp > INT32_MAX)
+        {
+            free_function(pMMBDXP->pField);
+            pMMBDXP->pField = nullptr;
+            pMMBDXP->nFields = 0;
+            fclose_and_nullify(&pMMBDXP->pfDataBase);
+            return 1;
+        }
+        pMMBDXP->FirstRecordOffset = (MM_FIRST_RECORD_OFFSET_TYPE)nTmp;
 
         if (some_problems_when_reading > 0)
             offset_fals = pMMBDXP->FirstRecordOffset;