lcms: reject NaN when reading float numbers

LerpFloat functions expect input values are normal float. They first
clamp values to the range of [0.0, 1.0] and then calculate interpolation
with the input values.

If the input value is NaN, it will lead to heap buffer overflow because
the index to LutTable is calculated based on the said value and
fclamp(NaN) is not in expected [0.0, 1.0] range.

This patch rejects all NaN values earlier when reading float numbers. So
it also changed behavior for cases other than LerpFloat. I think it is
okay because NaN doesn't make sense for usual calculations.

BUG=654676

Review-Url: https://codereview.chromium.org/2422553002

1 files changed, 13 insertions, 0 deletions

diff --git a/third_party/lcms2-2.6/0010-reject-nan.patch b/third_party/lcms2-2.6/0010-reject-nan.patch
new file mode 100644
index 0000000000..2cf49ca0f7
--- /dev/null
+++ b/third_party/lcms2-2.6/0010-reject-nan.patch
@@ -0,0 +1,13 @@
+diff --git a/third_party/lcms2-2.6/src/cmsplugin.c b/third_party/lcms2-2.6/src/cmsplugin.c
+index 8903d2b..b95befb 100644
+--- a/third_party/lcms2-2.6/src/cmsplugin.c
++++ b/third_party/lcms2-2.6/src/cmsplugin.c
+@@ -179,6 +179,8 @@ cmsBool CMSEXPORT  _cmsReadFloat32Number(cmsIOHANDLER* io, cmsFloat32Number* n)
+ 
+         tmp = _cmsAdjustEndianess32(tmp);
+         *n = *(cmsFloat32Number*) &tmp;
++        if (isnan(*n))
++            return FALSE;
+     }
+     return TRUE;
+ }