From d5bc2919ec26dc73a9bb906deaebd9befb4df6c3 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Mon, 11 Nov 2019 16:48:29 +0100
Subject: [PATCH] FlatGeoBuf: avoid unsigned integer overflow on corrupted
 files. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18764 and
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18762

---
 gdal/ogr/ogrsf_frmts/flatgeobuf/ogrflatgeobuflayer.cpp | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/gdal/ogr/ogrsf_frmts/flatgeobuf/ogrflatgeobuflayer.cpp b/gdal/ogr/ogrsf_frmts/flatgeobuf/ogrflatgeobuflayer.cpp
index ca8759d21eb8..1340ed798867 100644
--- a/gdal/ogr/ogrsf_frmts/flatgeobuf/ogrflatgeobuflayer.cpp
+++ b/gdal/ogr/ogrsf_frmts/flatgeobuf/ogrflatgeobuflayer.cpp
@@ -687,7 +687,7 @@ OGRErr OGRFlatGeobufLayer::parseFeature(OGRFeature *poFeature) {
         // a single column index and smallest value type
         if (size > 0 && size < (sizeof(uint16_t) + sizeof(uint8_t)))
             return CPLErrorInvalidSize("property value");
-        while (offset < (size - 1)) {
+        while (offset + 1 < size) {
             if (offset + sizeof(uint16_t) > size)
                 return CPLErrorInvalidSize("property value");
             uint16_t i = *((uint16_t *)(data + offset));
@@ -876,6 +876,11 @@ OGRMultiLineString *OGRFlatGeobufLayer::readMultiLineString(const Feature *featu
     uint32_t offset = 0;
     for (uint32_t i = 0; i < pEnds->size(); i++) {
         const auto e = pEnds->Get(i);
+        if( e < offset )
+        {
+            delete mls;
+            return CPLErrorInvalidLength("MultiLineString");
+        }
         const auto ls = readLineString(feature, pXy, e - offset, offset);
         if (ls == nullptr) {
             delete mls;