summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicolas Pena <npm@chromium.org>2017-02-27 16:08:20 -0500
committerChromium commit bot <commit-bot@chromium.org>2017-02-27 21:37:27 +0000
commit4e3f2d2a00892e0ef7cd121c6397f0cbb059cf72 (patch)
tree1e2cc73de98da002ffb3a474aa3c570d39cc6a9b
parentbe90aaea3977eadeee589cdda66c61d06d6535b0 (diff)
downloadpdfium-4e3f2d2a00892e0ef7cd121c6397f0cbb059cf72.tar.xz
LCMS upstream patch to fix integer overflows
Patch: https://github.com/mm2/Little-CMS/commit/9f427d5ff544ab1be37f485ac13b2419a1610cc3 BUG=696430 Change-Id: I20b8b4aad565d6f6aaed8c66be7e9709eec2b5ce Reviewed-on: https://pdfium-review.googlesource.com/2849 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
Diffstat
-rw-r--r--third_party/lcms2-2.6/0017-upstream-integer-overflow-MPEmatrix_Read.patch85
-rw-r--r--third_party/lcms2-2.6/README.pdfium1
-rw-r--r--third_party/lcms2-2.6/src/cmscgats.c25
-rw-r--r--third_party/lcms2-2.6/src/cmstypes.c6
4 files changed, 104 insertions, 13 deletions
diff --git a/third_party/lcms2-2.6/0017-upstream-integer-overflow-MPEmatrix_Read.patch b/third_party/lcms2-2.6/0017-upstream-integer-overflow-MPEmatrix_Read.patch
new file mode 100644
index 0000000000..47df7a887d
--- /dev/null
+++ b/third_party/lcms2-2.6/0017-upstream-integer-overflow-MPEmatrix_Read.patch
@@ -0,0 +1,85 @@
+diff --git a/third_party/lcms2-2.6/src/cmscgats.c b/third_party/lcms2-2.6/src/cmscgats.c
+index 5720c66a7..cce4cedba 100644
+--- a/third_party/lcms2-2.6/src/cmscgats.c
++++ b/third_party/lcms2-2.6/src/cmscgats.c
+@@ -150,23 +150,24 @@ typedef struct {
+ SUBALLOCATOR Allocator; // String suballocator -- just to keep it fast
+
+ // Parser state machine
+- SYMBOL sy; // Current symbol
+- int ch; // Current character
++ SYMBOL sy; // Current symbol
++ int ch; // Current character
++
++ cmsInt32Number inum; // integer value
++ cmsFloat64Number dnum; // real value
+
+- int inum; // integer value
+- cmsFloat64Number dnum; // real value
+ char id[MAXID]; // identifier
+ char str[MAXSTR]; // string
+
+ // Allowed keywords & datasets. They have visibility on whole stream
+- KEYVALUE* ValidKeywords;
+- KEYVALUE* ValidSampleID;
++ KEYVALUE* ValidKeywords;
++ KEYVALUE* ValidSampleID;
+
+ char* Source; // Points to loc. being parsed
+- int lineno; // line counter for error reporting
++ cmsInt32Number lineno; // line counter for error reporting
+
+ FILECTX* FileStack[MAXINCLUDE]; // Stack of files being parsed
+- int IncludeSP; // Include Stack Pointer
++ cmsInt32Number IncludeSP; // Include Stack Pointer
+
+ char* MemoryBlock; // The stream if holded in memory
+
+@@ -568,8 +569,8 @@ void ReadReal(cmsIT8* it8, int inum)
+ // Exponent, example 34.00E+20
+ if (toupper(it8->ch) == 'E') {
+
+- int e;
+- int sgn;
++ cmsInt32Number e;
++ cmsInt32Number sgn;
+
+ NextCh(it8); sgn = 1;
+
+@@ -587,7 +588,7 @@ void ReadReal(cmsIT8* it8, int inum)
+ e = 0;
+ while (isdigit(it8->ch)) {
+
+- if ((cmsFloat64Number) e * 10L < INT_MAX)
++ if ((cmsFloat64Number) e * 10L < (cmsFloat64Number) +2147483647.0)
+ e = e * 10 + (it8->ch - '0');
+
+ NextCh(it8);
+@@ -777,7 +778,7 @@ void InSymbol(cmsIT8* it8)
+
+ while (isdigit(it8->ch)) {
+
+- if ((long) it8->inum * 10L > (long) INT_MAX) {
++ if ((cmsFloat64Number) it8->inum * 10L > (cmsFloat64Number) +2147483647.0) {
+ ReadReal(it8, it8->inum);
+ it8->sy = SDNUM;
+ it8->dnum *= sign;
+diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c
+index 0256e247b..75f1fae32 100644
+--- a/third_party/lcms2-2.6/src/cmstypes.c
++++ b/third_party/lcms2-2.6/src/cmstypes.c
+@@ -4199,9 +4199,13 @@ void *Type_MPEmatrix_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io
+ if (!_cmsReadUInt16Number(io, &OutputChans)) return NULL;
+
+
++ // Input and output chans may be ANY (up to 0xffff),
++ // but we choose to limit to 16 channels for now
++ if (InputChans >= cmsMAXCHANNELS) return NULL;
++ if (OutputChans >= cmsMAXCHANNELS) return NULL;
++
+ nElems = InputChans * OutputChans;
+
+- // Input and output chans may be ANY (up to 0xffff)
+ Matrix = (cmsFloat64Number*) _cmsCalloc(self ->ContextID, nElems, sizeof(cmsFloat64Number));
+ if (Matrix == NULL) return NULL;
+
diff --git a/third_party/lcms2-2.6/README.pdfium b/third_party/lcms2-2.6/README.pdfium
index cfa790969b..650429826c 100644
--- a/third_party/lcms2-2.6/README.pdfium
+++ b/third_party/lcms2-2.6/README.pdfium
@@ -28,4 +28,5 @@ Local Modifications:
0015-sanitize-float-read.patch: Sanitize floating point read. Partially backport
from upstream https://github.com/mm2/Little-CMS/commit/4011a6e3
0016-check-LUT-and-MPE.patch: check LUT consistency and sanitize MPE profiles.
+0017-upstream-integer-overflow-MPEmatrix_Read.patch: fix some integer overflows.
TODO(ochang): List other patches.
diff --git a/third_party/lcms2-2.6/src/cmscgats.c b/third_party/lcms2-2.6/src/cmscgats.c
index 5720c66a74..cce4cedbad 100644
--- a/third_party/lcms2-2.6/src/cmscgats.c
+++ b/third_party/lcms2-2.6/src/cmscgats.c
@@ -150,23 +150,24 @@ typedef struct {
SUBALLOCATOR Allocator; // String suballocator -- just to keep it fast
// Parser state machine
- SYMBOL sy; // Current symbol
- int ch; // Current character
+ SYMBOL sy; // Current symbol
+ int ch; // Current character
+
+ cmsInt32Number inum; // integer value
+ cmsFloat64Number dnum; // real value
- int inum; // integer value
- cmsFloat64Number dnum; // real value
char id[MAXID]; // identifier
char str[MAXSTR]; // string
// Allowed keywords & datasets. They have visibility on whole stream
- KEYVALUE* ValidKeywords;
- KEYVALUE* ValidSampleID;
+ KEYVALUE* ValidKeywords;
+ KEYVALUE* ValidSampleID;
char* Source; // Points to loc. being parsed
- int lineno; // line counter for error reporting
+ cmsInt32Number lineno; // line counter for error reporting
FILECTX* FileStack[MAXINCLUDE]; // Stack of files being parsed
- int IncludeSP; // Include Stack Pointer
+ cmsInt32Number IncludeSP; // Include Stack Pointer
char* MemoryBlock; // The stream if holded in memory
@@ -568,8 +569,8 @@ void ReadReal(cmsIT8* it8, int inum)
// Exponent, example 34.00E+20
if (toupper(it8->ch) == 'E') {
- int e;
- int sgn;
+ cmsInt32Number e;
+ cmsInt32Number sgn;
NextCh(it8); sgn = 1;
@@ -587,7 +588,7 @@ void ReadReal(cmsIT8* it8, int inum)
e = 0;
while (isdigit(it8->ch)) {
- if ((cmsFloat64Number) e * 10L < INT_MAX)
+ if ((cmsFloat64Number) e * 10L < (cmsFloat64Number) +2147483647.0)
e = e * 10 + (it8->ch - '0');
NextCh(it8);
@@ -777,7 +778,7 @@ void InSymbol(cmsIT8* it8)
while (isdigit(it8->ch)) {
- if ((long) it8->inum * 10L > (long) INT_MAX) {
+ if ((cmsFloat64Number) it8->inum * 10L > (cmsFloat64Number) +2147483647.0) {
ReadReal(it8, it8->inum);
it8->sy = SDNUM;
it8->dnum *= sign;
diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c
index 0256e247b4..75f1fae32a 100644
--- a/third_party/lcms2-2.6/src/cmstypes.c
+++ b/third_party/lcms2-2.6/src/cmstypes.c
@@ -4199,9 +4199,13 @@ void *Type_MPEmatrix_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io
if (!_cmsReadUInt16Number(io, &OutputChans)) return NULL;
+ // Input and output chans may be ANY (up to 0xffff),
+ // but we choose to limit to 16 channels for now
+ if (InputChans >= cmsMAXCHANNELS) return NULL;
+ if (OutputChans >= cmsMAXCHANNELS) return NULL;
+
nElems = InputChans * OutputChans;
- // Input and output chans may be ANY (up to 0xffff)
Matrix = (cmsFloat64Number*) _cmsCalloc(self ->ContextID, nElems, sizeof(cmsFloat64Number));
if (Matrix == NULL) return NULL;
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-17 20:39:12 +0000