summaryrefslogtreecommitdiff
path: root/third_party/lcms2-2.6/src/cmsplugin.c
diff options
context:
space:
mode:
authorkcwu <kcwu@chromium.org>2016-10-17 06:13:11 -0700
committerCommit bot <commit-bot@chromium.org>2016-10-17 06:13:11 -0700
commit85fcf94eeae589641213c4301bbb16b44b10a282 (patch)
treeb29673f448464f6bf5803e06e2c40aed97989b8e /third_party/lcms2-2.6/src/cmsplugin.c
parent05923132ae08d45fbe957219775a48c55ee57aef (diff)
downloadpdfium-85fcf94eeae589641213c4301bbb16b44b10a282.tar.xz
lcms: reject NaN when reading float numbers
LerpFloat functions expect input values are normal float. They first clamp values to the range of [0.0, 1.0] and then calculate interpolation with the input values. If the input value is NaN, it will lead to heap buffer overflow because the index to LutTable is calculated based on the said value and fclamp(NaN) is not in expected [0.0, 1.0] range. This patch rejects all NaN values earlier when reading float numbers. So it also changed behavior for cases other than LerpFloat. I think it is okay because NaN doesn't make sense for usual calculations. BUG=654676 Review-Url: https://codereview.chromium.org/2422553002
Diffstat (limited to 'third_party/lcms2-2.6/src/cmsplugin.c')
-rw-r--r--third_party/lcms2-2.6/src/cmsplugin.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/third_party/lcms2-2.6/src/cmsplugin.c b/third_party/lcms2-2.6/src/cmsplugin.c
index 8903d2bd61..b95befbd96 100644
--- a/third_party/lcms2-2.6/src/cmsplugin.c
+++ b/third_party/lcms2-2.6/src/cmsplugin.c
@@ -179,6 +179,8 @@ cmsBool CMSEXPORT _cmsReadFloat32Number(cmsIOHANDLER* io, cmsFloat32Number* n)
tmp = _cmsAdjustEndianess32(tmp);
*n = *(cmsFloat32Number*) &tmp;
+ if (isnan(*n))
+ return FALSE;
}
return TRUE;
}