From 82df0086093e53b11faa383be52800288bd65175 Mon Sep 17 00:00:00 2001
From: ChrisCoxArt <ccox@comcast.net>
Date: Sat, 28 Feb 2026 17:46:54 -0800
Subject: [PATCH] Check offsets before calling ApplySequence

Fixes #623
---
 IccProfLib/IccMpeCalc.cpp | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/IccProfLib/IccMpeCalc.cpp b/IccProfLib/IccMpeCalc.cpp
index 9a9819bed..74aaa092b 100644
--- a/IccProfLib/IccMpeCalc.cpp
+++ b/IccProfLib/IccMpeCalc.cpp
@@ -3765,10 +3765,15 @@ bool CIccCalculatorFunc::ApplySequence(CIccApplyMpeCalculator *pApply, icUInt32N
       if (nSel<0 || (icUInt32Number)nSel>=op->extra) {
 
         if (ops[nDefOff].sig==icSigDefaultOp) {
-          if (os.idx+1 + ops[nDefOff].extra >= nOps)
+          size_t offset = (size_t)os.idx + 1 + ops[nDefOff].extra;
+          if (offset >= nOps)
             return false;
 
-          if (!ApplySequence(pApply, ops[nDefOff].data.size, &ops[os.idx+1 + ops[nDefOff].extra]))
+          icUInt32Number dataSize = ops[nDefOff].data.size;
+          if ((nDefOff + dataSize) >= nOps)
+            return false;
+          
+          if (!ApplySequence(pApply, dataSize, &ops[offset]))
             break;
         }
       }
@@ -3778,7 +3783,15 @@ bool CIccCalculatorFunc::ApplySequence(CIccApplyMpeCalculator *pApply, icUInt32N
         if (nOff >= nOps) 
           return false;
 
-        if (!ApplySequence(pApply, ops[nOff].data.size, &ops[os.idx+1 + ops[nOff].extra]))
+        icUInt32Number dataSize = ops[nOff].data.size;
+        if ((nOff + dataSize) >= nOps)
+          return false;
+
+        size_t offset = (size_t)os.idx + 1 + ops[nOff].extra;
+        if (offset >= nOps)
+          return false;
+        
+        if (!ApplySequence(pApply, dataSize, &ops[offset]))
           break;
       }