summaryrefslogtreecommitdiff
path: root/third_party/lcms2-2.6/src
diff options
context:
space:
mode:
authorDan Sinclair <dsinclair@chromium.org>2017-05-08 14:22:48 -0400
committerChromium commit bot <commit-bot@chromium.org>2017-05-08 18:50:02 +0000
commit852fb12d554abbbda65bbbf3720117a0aad5a9c9 (patch)
tree91ca7aeef1abce294b1fde8e1da19e153803ea31 /third_party/lcms2-2.6/src
parent486f141ed1fa5b92f59d403c4b549ede2ea1a2c8 (diff)
downloadpdfium-852fb12d554abbbda65bbbf3720117a0aad5a9c9.tar.xz
[lcms] Verify enough data to service request before allocating
If the count of items is large enough, there maybe not enough data in the file to read. This Cl verifies we'll have enough data before attempting to allocate the memory to store the results. Bug: chromium:718504 Change-Id: I82e7df3511e529c4bd72a772e9d6e607a0615927 Reviewed-on: https://pdfium-review.googlesource.com/5110 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'third_party/lcms2-2.6/src')
-rw-r--r--third_party/lcms2-2.6/src/cmstypes.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c
index 75f1fae32a..4d96a1ed6b 100644
--- a/third_party/lcms2-2.6/src/cmstypes.c
+++ b/third_party/lcms2-2.6/src/cmstypes.c
@@ -173,6 +173,12 @@ cmsBool ReadPositionTable(struct _cms_typehandler_struct* self,
{
cmsUInt32Number i;
cmsUInt32Number *ElementOffsets = NULL, *ElementSizes = NULL;
+ cmsUInt32Number currentPosition;
+
+ currentPosition = io->Tell(io);
+ // Verify there is enough space left to read two cmsUInt32Number items for Count items.
+ if (((io->ReportedSize - currentPosition) / (2 * sizeof(cmsUInt32Number))) < Count)
+ return FALSE;
// Let's take the offsets to each element
ElementOffsets = (cmsUInt32Number *) _cmsCalloc(io ->ContextID, Count, sizeof(cmsUInt32Number));