lcms upstream patches to fix security bugchromium/3021

Patch that fixes LUT consistency: https://github.com/mm2/Little-CMS/commit/9936ecf0745002cea8e46dc575079b4872e9af8c Patch that sanitizes MPE profiles: https://github.com/mm2/Little-CMS/commit/06662a755525586223efe1790da1497d5b2d9e67 BUG=675617 Change-Id: I9ccc4158432387360dcb358e2a015a9434df46e4 Reviewed-on: https://pdfium-review.googlesource.com/2820 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
author: Nicolas Pena <npm@chromium.org> 2017-02-22 12:00:58 -0500
committer: Chromium commit bot <commit-bot@chromium.org> 2017-02-22 18:17:35 +0000
commit: e3f237740fd8bea50b4a6f37f56455dfa0328546 (patch)
tree: 28acdf57354fc3e2d0a031d7315710afe866c55d
parent: 60fd9fc63744419a760201af596515d411b7e194 (diff)
download: pdfium-chromium/3021.tar.xz
4 files changed, 223 insertions, 16 deletions
diff --git a/third_party/lcms2-2.6/0016-check-LUT-and-MPE.patch b/third_party/lcms2-2.6/0016-check-LUT-and-MPE.patch
new file mode 100644
index 0000000000..bfa84e2eed
--- /dev/null
+++ b/third_party/lcms2-2.6/0016-check-LUT-and-MPE.patch
@@ -0,0 +1,170 @@
+diff --git a/third_party/lcms2-2.6/src/cmslut.c b/third_party/lcms2-2.6/src/cmslut.c
+index 9b0eb4b54..19d43361f 100644
+--- a/third_party/lcms2-2.6/src/cmslut.c
++++ b/third_party/lcms2-2.6/src/cmslut.c
+@@ -1255,21 +1255,39 @@ cmsStage* CMSEXPORT cmsStageDup(cmsStage* mpe)
+ // ***********************************************************************************************************
+ 
+ // This function sets up the channel count
+-
+ static
+-void BlessLUT(cmsPipeline* lut)
++cmsBool BlessLUT(cmsPipeline* lut)
+ {
+     // We can set the input/ouput channels only if we have elements.
+     if (lut ->Elements != NULL) {
+ 
+-        cmsStage *First, *Last;
++        cmsStage* prev;
++        cmsStage* next;
++        cmsStage* First;
++        cmsStage* Last;
+ 
+         First  = cmsPipelineGetPtrToFirstStage(lut);
+         Last   = cmsPipelineGetPtrToLastStage(lut);
+ 
+-        if (First != NULL)lut ->InputChannels = First ->InputChannels;
+-        if (Last != NULL) lut ->OutputChannels = Last ->OutputChannels;
++        if (First == NULL || Last == NULL) return FALSE;
++
++        lut->InputChannels = First->InputChannels;
++        lut->OutputChannels = Last->OutputChannels;
++
++        // Check chain consistency
++        prev = First;
++        next = prev->Next;
++
++        while (next != NULL)
++        {
++            if (next->InputChannels != prev->OutputChannels)
++                return FALSE;
++
++            next = next->Next;
++            prev = prev->Next;
++        }
+     }
++    return TRUE;    
+ }
+ 
+ 
+@@ -1331,6 +1349,7 @@ cmsPipeline* CMSEXPORT cmsPipelineAlloc(cmsContext ContextID, cmsUInt32Number In
+ {
+        cmsPipeline* NewLUT;
+ 
++       // A value of zero in channels is allowed as placeholder
+        if (InputChannels >= cmsMAXCHANNELS ||
+            OutputChannels >= cmsMAXCHANNELS) return NULL;
+ 
+@@ -1348,7 +1367,11 @@ cmsPipeline* CMSEXPORT cmsPipelineAlloc(cmsContext ContextID, cmsUInt32Number In
+        NewLUT ->Data        = NewLUT;
+        NewLUT ->ContextID   = ContextID;
+ 
+-       BlessLUT(NewLUT);
++       if (!BlessLUT(NewLUT))
++       {
++           _cmsFree(ContextID, NewLUT);
++           return NULL;
++       }
+ 
+        return NewLUT;
+ }
+@@ -1454,7 +1477,12 @@ cmsPipeline* CMSEXPORT cmsPipelineDup(const cmsPipeline* lut)
+ 
+     NewLUT ->SaveAs8Bits    = lut ->SaveAs8Bits;
+ 
+-    BlessLUT(NewLUT);
++    if (!BlessLUT(NewLUT))
++    {
++        _cmsFree(lut->ContextID, NewLUT);
++        return NULL;
++    }
++
+     return NewLUT;
+ }
+ 
+@@ -1491,8 +1519,7 @@ int CMSEXPORT cmsPipelineInsertStage(cmsPipeline* lut, cmsStageLoc loc, cmsStage
+             return FALSE;
+     }
+ 
+-    BlessLUT(lut);
+-    return TRUE;
++    return BlessLUT(lut);    
+ }
+ 
+ // Unlink an element and return the pointer to it
+@@ -1547,6 +1574,7 @@ void CMSEXPORT cmsPipelineUnlinkStage(cmsPipeline* lut, cmsStageLoc loc, cmsStag
+     else
+         cmsStageFree(Unlinked);
+ 
++    // May fail, but we ignore it
+     BlessLUT(lut);
+ }
+ 
+@@ -1573,8 +1601,7 @@ cmsBool  CMSEXPORT cmsPipelineCat(cmsPipeline* l1, const cmsPipeline* l2)
+                 return FALSE;
+     }
+ 
+-    BlessLUT(l1);
+-    return TRUE;
++    return BlessLUT(l1);    
+ }
+ 
+ 
+diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c
+index e5ed06c33..0256e247b 100644
+--- a/third_party/lcms2-2.6/src/cmstypes.c
++++ b/third_party/lcms2-2.6/src/cmstypes.c
+@@ -1755,8 +1755,8 @@ void *Type_LUT8_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cms
+     if (!_cmsReadUInt8Number(io, NULL)) goto Error;
+ 
+     // Do some checking
+-    if (InputChannels > cmsMAXCHANNELS)  goto Error;
+-    if (OutputChannels > cmsMAXCHANNELS) goto Error;
++    if (InputChannels == 0 || InputChannels > cmsMAXCHANNELS)  goto Error;
++    if (OutputChannels == 0 || OutputChannels > cmsMAXCHANNELS) goto Error;
+ 
+    // Allocates an empty Pipeline
+     NewLUT = cmsPipelineAlloc(self ->ContextID, InputChannels, OutputChannels);
+@@ -2048,8 +2048,8 @@ void *Type_LUT16_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cm
+     if (!_cmsReadUInt8Number(io, NULL)) return NULL;
+ 
+     // Do some checking
+-    if (InputChannels > cmsMAXCHANNELS)  goto Error;
+-    if (OutputChannels > cmsMAXCHANNELS) goto Error;
++    if (InputChannels == 0 || InputChannels > cmsMAXCHANNELS)  goto Error;
++    if (OutputChannels == 0 || OutputChannels > cmsMAXCHANNELS) goto Error;
+ 
+     // Allocates an empty LUT
+     NewLUT = cmsPipelineAlloc(self ->ContextID, InputChannels, OutputChannels);
+@@ -2486,7 +2486,10 @@ void* Type_LUTA2B_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, c
+     if (!_cmsReadUInt32Number(io, &offsetC)) return NULL;
+     if (!_cmsReadUInt32Number(io, &offsetA)) return NULL;
+ 
+-   // Allocates an empty LUT
++    if (inputChan == 0 || inputChan >= cmsMAXCHANNELS) return NULL;
++    if (outputChan == 0 || outputChan >= cmsMAXCHANNELS) return NULL;
++
++    // Allocates an empty LUT
+     NewLUT = cmsPipelineAlloc(self ->ContextID, inputChan, outputChan);
+     if (NewLUT == NULL) return NULL;
+ 
+@@ -2794,6 +2797,9 @@ void* Type_LUTB2A_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, c
+     if (!_cmsReadUInt8Number(io, &inputChan)) return NULL;
+     if (!_cmsReadUInt8Number(io, &outputChan)) return NULL;
+ 
++    if (inputChan == 0 || inputChan >= cmsMAXCHANNELS) return NULL;
++    if (outputChan == 0 || outputChan >= cmsMAXCHANNELS) return NULL;
++
+     // Padding
+     if (!_cmsReadUInt16Number(io, NULL)) return NULL;
+ 
+@@ -4443,6 +4449,9 @@ void *Type_MPE_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU
+     if (!_cmsReadUInt16Number(io, &InputChans)) return NULL;
+     if (!_cmsReadUInt16Number(io, &OutputChans)) return NULL;
+ 
++    if (InputChans == 0 || InputChans >= cmsMAXCHANNELS) return NULL;
++    if (OutputChans == 0 || OutputChans >= cmsMAXCHANNELS) return NULL;
++
+     // Allocates an empty LUT
+     NewLUT = cmsPipelineAlloc(self ->ContextID, InputChans, OutputChans);
+     if (NewLUT == NULL) return NULL;
diff --git a/third_party/lcms2-2.6/README.pdfium b/third_party/lcms2-2.6/README.pdfium
index c775609e07..cfa790969b 100644
--- a/third_party/lcms2-2.6/README.pdfium
+++ b/third_party/lcms2-2.6/README.pdfium
@@ -27,4 +27,5 @@ Local Modifications:
 0014-avoid-fixed-inf.patch: Avoid fixed number LUT optimization on inf values.
 0015-sanitize-float-read.patch: Sanitize floating point read. Partially backport
     from upstream https://github.com/mm2/Little-CMS/commit/4011a6e3
+0016-check-LUT-and-MPE.patch: check LUT consistency and sanitize MPE profiles.
 TODO(ochang): List other patches.
diff --git a/third_party/lcms2-2.6/src/cmslut.c b/third_party/lcms2-2.6/src/cmslut.c
index 9b0eb4b549..19d43361f0 100644
--- a/third_party/lcms2-2.6/src/cmslut.c
+++ b/third_party/lcms2-2.6/src/cmslut.c
@@ -1255,21 +1255,39 @@ cmsStage* CMSEXPORT cmsStageDup(cmsStage* mpe)
 // ***********************************************************************************************************
 
 // This function sets up the channel count
-
 static
-void BlessLUT(cmsPipeline* lut)
+cmsBool BlessLUT(cmsPipeline* lut)
 {
     // We can set the input/ouput channels only if we have elements.
     if (lut ->Elements != NULL) {
 
-        cmsStage *First, *Last;
+        cmsStage* prev;
+        cmsStage* next;
+        cmsStage* First;
+        cmsStage* Last;
 
         First  = cmsPipelineGetPtrToFirstStage(lut);
         Last   = cmsPipelineGetPtrToLastStage(lut);
 
-        if (First != NULL)lut ->InputChannels = First ->InputChannels;
-        if (Last != NULL) lut ->OutputChannels = Last ->OutputChannels;
+        if (First == NULL || Last == NULL) return FALSE;
+
+        lut->InputChannels = First->InputChannels;
+        lut->OutputChannels = Last->OutputChannels;
+
+        // Check chain consistency
+        prev = First;
+        next = prev->Next;
+
+        while (next != NULL)
+        {
+            if (next->InputChannels != prev->OutputChannels)
+                return FALSE;
+
+            next = next->Next;
+            prev = prev->Next;
+        }
     }
+    return TRUE;    
 }
 
 
@@ -1331,6 +1349,7 @@ cmsPipeline* CMSEXPORT cmsPipelineAlloc(cmsContext ContextID, cmsUInt32Number In
 {
        cmsPipeline* NewLUT;
 
+       // A value of zero in channels is allowed as placeholder
        if (InputChannels >= cmsMAXCHANNELS ||
            OutputChannels >= cmsMAXCHANNELS) return NULL;
 
@@ -1348,7 +1367,11 @@ cmsPipeline* CMSEXPORT cmsPipelineAlloc(cmsContext ContextID, cmsUInt32Number In
        NewLUT ->Data        = NewLUT;
        NewLUT ->ContextID   = ContextID;
 
-       BlessLUT(NewLUT);
+       if (!BlessLUT(NewLUT))
+       {
+           _cmsFree(ContextID, NewLUT);
+           return NULL;
+       }
 
        return NewLUT;
 }
@@ -1454,7 +1477,12 @@ cmsPipeline* CMSEXPORT cmsPipelineDup(const cmsPipeline* lut)
 
     NewLUT ->SaveAs8Bits    = lut ->SaveAs8Bits;
 
-    BlessLUT(NewLUT);
+    if (!BlessLUT(NewLUT))
+    {
+        _cmsFree(lut->ContextID, NewLUT);
+        return NULL;
+    }
+
     return NewLUT;
 }
 
@@ -1491,8 +1519,7 @@ int CMSEXPORT cmsPipelineInsertStage(cmsPipeline* lut, cmsStageLoc loc, cmsStage
             return FALSE;
     }
 
-    BlessLUT(lut);
-    return TRUE;
+    return BlessLUT(lut);    
 }
 
 // Unlink an element and return the pointer to it
@@ -1547,6 +1574,7 @@ void CMSEXPORT cmsPipelineUnlinkStage(cmsPipeline* lut, cmsStageLoc loc, cmsStag
     else
         cmsStageFree(Unlinked);
 
+    // May fail, but we ignore it
     BlessLUT(lut);
 }
 
@@ -1573,8 +1601,7 @@ cmsBool  CMSEXPORT cmsPipelineCat(cmsPipeline* l1, const cmsPipeline* l2)
                 return FALSE;
     }
 
-    BlessLUT(l1);
-    return TRUE;
+    return BlessLUT(l1);    
 }
 
 
diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c
index e5ed06c337..0256e247b4 100644
--- a/third_party/lcms2-2.6/src/cmstypes.c
+++ b/third_party/lcms2-2.6/src/cmstypes.c
@@ -1755,8 +1755,8 @@ void *Type_LUT8_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cms
     if (!_cmsReadUInt8Number(io, NULL)) goto Error;
 
     // Do some checking
-    if (InputChannels > cmsMAXCHANNELS)  goto Error;
-    if (OutputChannels > cmsMAXCHANNELS) goto Error;
+    if (InputChannels == 0 || InputChannels > cmsMAXCHANNELS)  goto Error;
+    if (OutputChannels == 0 || OutputChannels > cmsMAXCHANNELS) goto Error;
 
    // Allocates an empty Pipeline
     NewLUT = cmsPipelineAlloc(self ->ContextID, InputChannels, OutputChannels);
@@ -2048,8 +2048,8 @@ void *Type_LUT16_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cm
     if (!_cmsReadUInt8Number(io, NULL)) return NULL;
 
     // Do some checking
-    if (InputChannels > cmsMAXCHANNELS)  goto Error;
-    if (OutputChannels > cmsMAXCHANNELS) goto Error;
+    if (InputChannels == 0 || InputChannels > cmsMAXCHANNELS)  goto Error;
+    if (OutputChannels == 0 || OutputChannels > cmsMAXCHANNELS) goto Error;
 
     // Allocates an empty LUT
     NewLUT = cmsPipelineAlloc(self ->ContextID, InputChannels, OutputChannels);
@@ -2486,7 +2486,10 @@ void* Type_LUTA2B_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, c
     if (!_cmsReadUInt32Number(io, &offsetC)) return NULL;
     if (!_cmsReadUInt32Number(io, &offsetA)) return NULL;
 
-   // Allocates an empty LUT
+    if (inputChan == 0 || inputChan >= cmsMAXCHANNELS) return NULL;
+    if (outputChan == 0 || outputChan >= cmsMAXCHANNELS) return NULL;
+
+    // Allocates an empty LUT
     NewLUT = cmsPipelineAlloc(self ->ContextID, inputChan, outputChan);
     if (NewLUT == NULL) return NULL;
 
@@ -2794,6 +2797,9 @@ void* Type_LUTB2A_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, c
     if (!_cmsReadUInt8Number(io, &inputChan)) return NULL;
     if (!_cmsReadUInt8Number(io, &outputChan)) return NULL;
 
+    if (inputChan == 0 || inputChan >= cmsMAXCHANNELS) return NULL;
+    if (outputChan == 0 || outputChan >= cmsMAXCHANNELS) return NULL;
+
     // Padding
     if (!_cmsReadUInt16Number(io, NULL)) return NULL;
 
@@ -4443,6 +4449,9 @@ void *Type_MPE_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU
     if (!_cmsReadUInt16Number(io, &InputChans)) return NULL;
     if (!_cmsReadUInt16Number(io, &OutputChans)) return NULL;
 
+    if (InputChans == 0 || InputChans >= cmsMAXCHANNELS) return NULL;
+    if (OutputChans == 0 || OutputChans >= cmsMAXCHANNELS) return NULL;
+
     // Allocates an empty LUT
     NewLUT = cmsPipelineAlloc(self ->ContextID, InputChans, OutputChans);
     if (NewLUT == NULL) return NULL;
author	Nicolas Pena <npm@chromium.org>	2017-02-22 12:00:58 -0500
committer	Chromium commit bot <commit-bot@chromium.org>	2017-02-22 18:17:35 +0000
commit	e3f237740fd8bea50b4a6f37f56455dfa0328546 (patch)
tree	28acdf57354fc3e2d0a031d7315710afe866c55d
parent	60fd9fc63744419a760201af596515d411b7e194 (diff)
download	pdfium-chromium/3021.tar.xz