diff options
author | Nicolas Pena <npm@chromium.org> | 2017-02-22 12:00:58 -0500 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-02-22 18:17:35 +0000 |
commit | e3f237740fd8bea50b4a6f37f56455dfa0328546 (patch) | |
tree | 28acdf57354fc3e2d0a031d7315710afe866c55d /third_party/lcms2-2.6/src | |
parent | 60fd9fc63744419a760201af596515d411b7e194 (diff) | |
download | pdfium-e3f237740fd8bea50b4a6f37f56455dfa0328546.tar.xz |
lcms upstream patches to fix security bugchromium/3021
Patch that fixes LUT consistency:
https://github.com/mm2/Little-CMS/commit/9936ecf0745002cea8e46dc575079b4872e9af8c
Patch that sanitizes MPE profiles:
https://github.com/mm2/Little-CMS/commit/06662a755525586223efe1790da1497d5b2d9e67
BUG=675617
Change-Id: I9ccc4158432387360dcb358e2a015a9434df46e4
Reviewed-on: https://pdfium-review.googlesource.com/2820
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'third_party/lcms2-2.6/src')
-rw-r--r-- | third_party/lcms2-2.6/src/cmslut.c | 49 | ||||
-rw-r--r-- | third_party/lcms2-2.6/src/cmstypes.c | 19 |
2 files changed, 52 insertions, 16 deletions
diff --git a/third_party/lcms2-2.6/src/cmslut.c b/third_party/lcms2-2.6/src/cmslut.c index 9b0eb4b549..19d43361f0 100644 --- a/third_party/lcms2-2.6/src/cmslut.c +++ b/third_party/lcms2-2.6/src/cmslut.c @@ -1255,21 +1255,39 @@ cmsStage* CMSEXPORT cmsStageDup(cmsStage* mpe) // *********************************************************************************************************** // This function sets up the channel count - static -void BlessLUT(cmsPipeline* lut) +cmsBool BlessLUT(cmsPipeline* lut) { // We can set the input/ouput channels only if we have elements. if (lut ->Elements != NULL) { - cmsStage *First, *Last; + cmsStage* prev; + cmsStage* next; + cmsStage* First; + cmsStage* Last; First = cmsPipelineGetPtrToFirstStage(lut); Last = cmsPipelineGetPtrToLastStage(lut); - if (First != NULL)lut ->InputChannels = First ->InputChannels; - if (Last != NULL) lut ->OutputChannels = Last ->OutputChannels; + if (First == NULL || Last == NULL) return FALSE; + + lut->InputChannels = First->InputChannels; + lut->OutputChannels = Last->OutputChannels; + + // Check chain consistency + prev = First; + next = prev->Next; + + while (next != NULL) + { + if (next->InputChannels != prev->OutputChannels) + return FALSE; + + next = next->Next; + prev = prev->Next; + } } + return TRUE; } @@ -1331,6 +1349,7 @@ cmsPipeline* CMSEXPORT cmsPipelineAlloc(cmsContext ContextID, cmsUInt32Number In { cmsPipeline* NewLUT; + // A value of zero in channels is allowed as placeholder if (InputChannels >= cmsMAXCHANNELS || OutputChannels >= cmsMAXCHANNELS) return NULL; @@ -1348,7 +1367,11 @@ cmsPipeline* CMSEXPORT cmsPipelineAlloc(cmsContext ContextID, cmsUInt32Number In NewLUT ->Data = NewLUT; NewLUT ->ContextID = ContextID; - BlessLUT(NewLUT); + if (!BlessLUT(NewLUT)) + { + _cmsFree(ContextID, NewLUT); + return NULL; + } return NewLUT; } @@ -1454,7 +1477,12 @@ cmsPipeline* CMSEXPORT cmsPipelineDup(const cmsPipeline* lut) NewLUT ->SaveAs8Bits = lut ->SaveAs8Bits; - BlessLUT(NewLUT); + if (!BlessLUT(NewLUT)) + { + _cmsFree(lut->ContextID, NewLUT); + return NULL; + } + return NewLUT; } @@ -1491,8 +1519,7 @@ int CMSEXPORT cmsPipelineInsertStage(cmsPipeline* lut, cmsStageLoc loc, cmsStage return FALSE; } - BlessLUT(lut); - return TRUE; + return BlessLUT(lut); } // Unlink an element and return the pointer to it @@ -1547,6 +1574,7 @@ void CMSEXPORT cmsPipelineUnlinkStage(cmsPipeline* lut, cmsStageLoc loc, cmsStag else cmsStageFree(Unlinked); + // May fail, but we ignore it BlessLUT(lut); } @@ -1573,8 +1601,7 @@ cmsBool CMSEXPORT cmsPipelineCat(cmsPipeline* l1, const cmsPipeline* l2) return FALSE; } - BlessLUT(l1); - return TRUE; + return BlessLUT(l1); } diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c index e5ed06c337..0256e247b4 100644 --- a/third_party/lcms2-2.6/src/cmstypes.c +++ b/third_party/lcms2-2.6/src/cmstypes.c @@ -1755,8 +1755,8 @@ void *Type_LUT8_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cms if (!_cmsReadUInt8Number(io, NULL)) goto Error; // Do some checking - if (InputChannels > cmsMAXCHANNELS) goto Error; - if (OutputChannels > cmsMAXCHANNELS) goto Error; + if (InputChannels == 0 || InputChannels > cmsMAXCHANNELS) goto Error; + if (OutputChannels == 0 || OutputChannels > cmsMAXCHANNELS) goto Error; // Allocates an empty Pipeline NewLUT = cmsPipelineAlloc(self ->ContextID, InputChannels, OutputChannels); @@ -2048,8 +2048,8 @@ void *Type_LUT16_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cm if (!_cmsReadUInt8Number(io, NULL)) return NULL; // Do some checking - if (InputChannels > cmsMAXCHANNELS) goto Error; - if (OutputChannels > cmsMAXCHANNELS) goto Error; + if (InputChannels == 0 || InputChannels > cmsMAXCHANNELS) goto Error; + if (OutputChannels == 0 || OutputChannels > cmsMAXCHANNELS) goto Error; // Allocates an empty LUT NewLUT = cmsPipelineAlloc(self ->ContextID, InputChannels, OutputChannels); @@ -2486,7 +2486,10 @@ void* Type_LUTA2B_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, c if (!_cmsReadUInt32Number(io, &offsetC)) return NULL; if (!_cmsReadUInt32Number(io, &offsetA)) return NULL; - // Allocates an empty LUT + if (inputChan == 0 || inputChan >= cmsMAXCHANNELS) return NULL; + if (outputChan == 0 || outputChan >= cmsMAXCHANNELS) return NULL; + + // Allocates an empty LUT NewLUT = cmsPipelineAlloc(self ->ContextID, inputChan, outputChan); if (NewLUT == NULL) return NULL; @@ -2794,6 +2797,9 @@ void* Type_LUTB2A_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, c if (!_cmsReadUInt8Number(io, &inputChan)) return NULL; if (!_cmsReadUInt8Number(io, &outputChan)) return NULL; + if (inputChan == 0 || inputChan >= cmsMAXCHANNELS) return NULL; + if (outputChan == 0 || outputChan >= cmsMAXCHANNELS) return NULL; + // Padding if (!_cmsReadUInt16Number(io, NULL)) return NULL; @@ -4443,6 +4449,9 @@ void *Type_MPE_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU if (!_cmsReadUInt16Number(io, &InputChans)) return NULL; if (!_cmsReadUInt16Number(io, &OutputChans)) return NULL; + if (InputChans == 0 || InputChans >= cmsMAXCHANNELS) return NULL; + if (OutputChans == 0 || OutputChans >= cmsMAXCHANNELS) return NULL; + // Allocates an empty LUT NewLUT = cmsPipelineAlloc(self ->ContextID, InputChans, OutputChans); if (NewLUT == NULL) return NULL; |