diff options
| author | kcwu <kcwu@chromium.org> | 2016-10-04 19:00:41 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2016-10-04 19:00:41 -0700 |
| commit | 958e57cbe864f356140b74cbc3b70bf352187bd4 (patch) | |
| tree | ec334c7db2f0ab35e926f19c2c7763746d99a042 | |
| parent | 98c6c15abfec45648d85c73e746f0cb109a8d35b (diff) | |
| download | pdfium-958e57cbe864f356140b74cbc3b70bf352187bd4.tar.xz | |
Fix cmdStageAllocMatrix parameter swap
For cmdStageAllocMatrix, InputChans is length of Matrix, OutputChans is
length of Offsets. The original code will allocate NewElem->Offset with
length Cols=InputChans (cmslut.c:417). This results in heap buffer
overflow later.
BUG=chromium:651849
Review-Url: https://codereview.chromium.org/2384063006
| -rw-r--r-- | third_party/lcms2-2.6/0009-cmdStageAllocMatrix-param-swap.patch | 13 | ||||
| -rw-r--r-- | third_party/lcms2-2.6/README.pdfium | 1 | ||||
| -rw-r--r-- | third_party/lcms2-2.6/src/cmstypes.c | 2 |
3 files changed, 15 insertions, 1 deletions
diff --git a/third_party/lcms2-2.6/0009-cmdStageAllocMatrix-param-swap.patch b/third_party/lcms2-2.6/0009-cmdStageAllocMatrix-param-swap.patch new file mode 100644 index 0000000000..cb4156936d --- /dev/null +++ b/third_party/lcms2-2.6/0009-cmdStageAllocMatrix-param-swap.patch @@ -0,0 +1,13 @@ +diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c +index 15199c7..6f335d9 100644 +--- a/third_party/lcms2-2.6/src/cmstypes.c ++++ b/third_party/lcms2-2.6/src/cmstypes.c +@@ -4225,7 +4225,7 @@ void *Type_MPEmatrix_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io + } + + +- mpe = cmsStageAllocMatrix(self ->ContextID, OutputChans, InputChans, Matrix, Offsets); ++ mpe = cmsStageAllocMatrix(self ->ContextID, InputChans, OutputChans, Matrix, Offsets); + _cmsFree(self ->ContextID, Matrix); + _cmsFree(self ->ContextID, Offsets); + diff --git a/third_party/lcms2-2.6/README.pdfium b/third_party/lcms2-2.6/README.pdfium index 29479392c4..1fa3f56164 100644 --- a/third_party/lcms2-2.6/README.pdfium +++ b/third_party/lcms2-2.6/README.pdfium @@ -18,4 +18,5 @@ Local Modifications: 0006-memory-leak-Type_NamedColor_Read.patch: Fix memory leak in Type_NamedColor_Read. 0007-memory-leak-OptimizeByResampling.patch: Fix memory leak in OptimizeByResampling. 0008-memory-leak-Type_MPEmatrix_Read.patch: Fix memory leak in MPEmatrix_Read. +0009-cols-rows-swap.patch: Fix rows/cols swap in cmsStageAllocMatrix. TODO(ochang): List other patches. diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c index 15199c7084..6f335d9bb1 100644 --- a/third_party/lcms2-2.6/src/cmstypes.c +++ b/third_party/lcms2-2.6/src/cmstypes.c @@ -4225,7 +4225,7 @@ void *Type_MPEmatrix_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io } - mpe = cmsStageAllocMatrix(self ->ContextID, OutputChans, InputChans, Matrix, Offsets); + mpe = cmsStageAllocMatrix(self ->ContextID, InputChans, OutputChans, Matrix, Offsets); _cmsFree(self ->ContextID, Matrix); _cmsFree(self ->ContextID, Offsets); |