diff options
| author | Nicolas Pena <npm@chromium.org> | 2017-08-14 10:36:01 -0400 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2017-08-14 15:02:17 +0000 |
| commit | 0bd847232a1f430c70dd9d8df177ce68a3cde010 (patch) | |
| tree | 15cec8c11493549f1974ae2f6aeac58234c176d2 /third_party/lcms/0023-upstream-integer-overflow-MPEmatrix_Read.patch | |
| parent | dff02cee2d2410d81a55c59345fb38b5aac8a457 (diff) | |
| download | pdfium-0bd847232a1f430c70dd9d8df177ce68a3cde010.tar.xz | |
LCMS: upgrade to 2.8
This CL upgrades LCMS from version 2.6 to 2.8. All changes from LCMS
original version 2.8 are stored in patch files:
- Patch 0: memory management modifications to use PDFium methods. This
was previously not in any patch, so the changes were manually applied.
- Patches 1-5: new patch files corresponding to old changes that can be
seen in the history, but did not previously have patch files.
- Patches 6-25: previous patches (patch numbers shifted by 6). The one
for from16-to-8-overflow.patch was deleted as it was already upstream.
Some patches did not apply cleanly so their .patch files were modified.
- Patch 26: as I just moved files directly, unsupported characters were
moved in unchanged, so I had to fix all of them: e with tilde and
other characters were replaced to allow compilation on Windows.
- Patch 27: Went over the code and re-applied changes that included
comments clearly indicating this was Foxit. These changes are all
already seen in the initial PDFium commit.
Change-Id: Ic1d84e54803ef9e6b280ef7619bbf0b757312fbf
Reviewed-on: https://pdfium-review.googlesource.com/10590
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'third_party/lcms/0023-upstream-integer-overflow-MPEmatrix_Read.patch')
| -rw-r--r-- | third_party/lcms/0023-upstream-integer-overflow-MPEmatrix_Read.patch | 85 |
1 files changed, 85 insertions, 0 deletions
diff --git a/third_party/lcms/0023-upstream-integer-overflow-MPEmatrix_Read.patch b/third_party/lcms/0023-upstream-integer-overflow-MPEmatrix_Read.patch new file mode 100644 index 0000000000..70a6bb9b20 --- /dev/null +++ b/third_party/lcms/0023-upstream-integer-overflow-MPEmatrix_Read.patch @@ -0,0 +1,85 @@ +diff --git a/third_party/lcms/src/cmscgats.c b/third_party/lcms/src/cmscgats.c +index 5720c66a7..cce4cedba 100644 +--- a/third_party/lcms/src/cmscgats.c ++++ b/third_party/lcms/src/cmscgats.c +@@ -150,23 +150,24 @@ typedef struct { + SUBALLOCATOR Allocator; // String suballocator -- just to keep it fast + + // Parser state machine +- SYMBOL sy; // Current symbol +- int ch; // Current character ++ SYMBOL sy; // Current symbol ++ int ch; // Current character ++ ++ cmsInt32Number inum; // integer value ++ cmsFloat64Number dnum; // real value + +- int inum; // integer value +- cmsFloat64Number dnum; // real value + char id[MAXID]; // identifier + char str[MAXSTR]; // string + + // Allowed keywords & datasets. They have visibility on whole stream +- KEYVALUE* ValidKeywords; +- KEYVALUE* ValidSampleID; ++ KEYVALUE* ValidKeywords; ++ KEYVALUE* ValidSampleID; + + char* Source; // Points to loc. being parsed +- int lineno; // line counter for error reporting ++ cmsInt32Number lineno; // line counter for error reporting + + FILECTX* FileStack[MAXINCLUDE]; // Stack of files being parsed +- int IncludeSP; // Include Stack Pointer ++ cmsInt32Number IncludeSP; // Include Stack Pointer + + char* MemoryBlock; // The stream if holded in memory + +@@ -568,8 +569,8 @@ void ReadReal(cmsIT8* it8, int inum) + // Exponent, example 34.00E+20 + if (toupper(it8->ch) == 'E') { + +- int e; +- int sgn; ++ cmsInt32Number e; ++ cmsInt32Number sgn; + + NextCh(it8); sgn = 1; + +@@ -587,7 +588,7 @@ void ReadReal(cmsIT8* it8, int inum) + e = 0; + while (isdigit(it8->ch)) { + +- if ((cmsFloat64Number) e * 10L < INT_MAX) ++ if ((cmsFloat64Number) e * 10L < (cmsFloat64Number) +2147483647.0) + e = e * 10 + (it8->ch - '0'); + + NextCh(it8); +@@ -777,7 +778,7 @@ void InSymbol(cmsIT8* it8) + + while (isdigit(it8->ch)) { + +- if ((long) it8->inum * 10L > (long) INT_MAX) { ++ if ((cmsFloat64Number) it8->inum * 10L > (cmsFloat64Number) +2147483647.0) { + ReadReal(it8, it8->inum); + it8->sy = SDNUM; + it8->dnum *= sign; +diff --git a/third_party/lcms/src/cmstypes.c b/third_party/lcms/src/cmstypes.c +index 0256e247b..75f1fae32 100644 +--- a/third_party/lcms/src/cmstypes.c ++++ b/third_party/lcms/src/cmstypes.c +@@ -4199,9 +4199,13 @@ void *Type_MPEmatrix_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io + if (!_cmsReadUInt16Number(io, &OutputChans)) return NULL; + + ++ // Input and output chans may be ANY (up to 0xffff), ++ // but we choose to limit to 16 channels for now ++ if (InputChans >= cmsMAXCHANNELS) return NULL; ++ if (OutputChans >= cmsMAXCHANNELS) return NULL; ++ + nElems = InputChans * OutputChans; + +- // Input and output chans may be ANY (up to 0xffff) + Matrix = (cmsFloat64Number*) _cmsCalloc(self ->ContextID, nElems, sizeof(cmsFloat64Number)); + if (Matrix == NULL) return NULL; + |