diff options
author | Nicolas Pena <npm@chromium.org> | 2017-02-27 16:08:20 -0500 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-02-27 21:37:27 +0000 |
commit | 4e3f2d2a00892e0ef7cd121c6397f0cbb059cf72 (patch) | |
tree | 1e2cc73de98da002ffb3a474aa3c570d39cc6a9b /third_party/lcms2-2.6/src/cmstypes.c | |
parent | be90aaea3977eadeee589cdda66c61d06d6535b0 (diff) | |
download | pdfium-4e3f2d2a00892e0ef7cd121c6397f0cbb059cf72.tar.xz |
LCMS upstream patch to fix integer overflows
Patch:
https://github.com/mm2/Little-CMS/commit/9f427d5ff544ab1be37f485ac13b2419a1610cc3
BUG=696430
Change-Id: I20b8b4aad565d6f6aaed8c66be7e9709eec2b5ce
Reviewed-on: https://pdfium-review.googlesource.com/2849
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
Diffstat (limited to 'third_party/lcms2-2.6/src/cmstypes.c')
-rw-r--r-- | third_party/lcms2-2.6/src/cmstypes.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c index 0256e247b4..75f1fae32a 100644 --- a/third_party/lcms2-2.6/src/cmstypes.c +++ b/third_party/lcms2-2.6/src/cmstypes.c @@ -4199,9 +4199,13 @@ void *Type_MPEmatrix_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io if (!_cmsReadUInt16Number(io, &OutputChans)) return NULL; + // Input and output chans may be ANY (up to 0xffff), + // but we choose to limit to 16 channels for now + if (InputChans >= cmsMAXCHANNELS) return NULL; + if (OutputChans >= cmsMAXCHANNELS) return NULL; + nElems = InputChans * OutputChans; - // Input and output chans may be ANY (up to 0xffff) Matrix = (cmsFloat64Number*) _cmsCalloc(self ->ContextID, nElems, sizeof(cmsFloat64Number)); if (Matrix == NULL) return NULL; |