Check for integer overflows involving ReadBlock.

table/format.cc

@@ -67,6 +67,11 @@ Status ReadBlock(RandomAccessFile* file, const ReadOptions& options,
   result->cachable = false;
   result->heap_allocated = false;
 
+  // Check for overflow.
+  if (handle.size() > std::numeric_limits<size_t>::max() - kBlockTrailerSize) {
+    return Status::Corruption("block handle size overflow");
+  }
+
   // Read the block contents as well as the type/crc footer.
   // See table_builder.cc for the code that built this structure.
   size_t n = static_cast<size_t>(handle.size());

util/env_posix.cc

@@ -198,6 +198,10 @@ class PosixRandomAccessFile final : public RandomAccessFile {
 
   Status Read(uint64_t offset, size_t n, Slice* result,
               char* scratch) const override {
+    if (offset > std::numeric_limits<off_t>::max()) {
+      return PosixError(filename_, EINVAL);
+    }
+
     int fd = fd_;
     if (!has_permanent_fd_) {
       fd = ::open(filename_.c_str(), O_RDONLY | kOpenBaseFlags);
@@ -258,7 +262,7 @@ class PosixMmapReadableFile final : public RandomAccessFile {
 
   Status Read(uint64_t offset, size_t n, Slice* result,
               char* scratch) const override {
-    if (offset + n > length_) {
+    if (offset + n < n || offset + n > length_) {
       *result = Slice();
       return PosixError(filename_, EINVAL);
     }

util/env_windows.cc

@@ -247,7 +247,7 @@ class WindowsMmapReadableFile : public RandomAccessFile {
 
   Status Read(uint64_t offset, size_t n, Slice* result,
               char* scratch) const override {
-    if (offset + n > length_) {
+    if (offset + n < n || offset + n > length_) {
       *result = Slice();
       return WindowsError(filename_, ERROR_INVALID_PARAMETER);
     }