Fix cmdStageAllocMatrix parameter swap

For cmdStageAllocMatrix, InputChans is length of Matrix, OutputChans is length of Offsets. The original code will allocate NewElem->Offset with length Cols=InputChans (cmslut.c:417). This results in heap buffer overflow later. BUG=chromium:651849 Review-Url: https://codereview.chromium.org/2384063006
author: kcwu <kcwu@chromium.org> 2016-10-04 19:00:41 -0700
committer: Commit bot <commit-bot@chromium.org> 2016-10-04 19:00:41 -0700
commit: 958e57cbe864f356140b74cbc3b70bf352187bd4 (patch)
tree: ec334c7db2f0ab35e926f19c2c7763746d99a042 /third_party/lcms2-2.6/src
parent: 98c6c15abfec45648d85c73e746f0cb109a8d35b (diff)
download: pdfium-958e57cbe864f356140b74cbc3b70bf352187bd4.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c
index 15199c7084..6f335d9bb1 100644
--- a/third_party/lcms2-2.6/src/cmstypes.c
+++ b/third_party/lcms2-2.6/src/cmstypes.c
@@ -4225,7 +4225,7 @@ void *Type_MPEmatrix_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io
     }
 
 
-    mpe = cmsStageAllocMatrix(self ->ContextID, OutputChans, InputChans, Matrix, Offsets);
+    mpe = cmsStageAllocMatrix(self ->ContextID, InputChans, OutputChans, Matrix, Offsets);
     _cmsFree(self ->ContextID, Matrix);
     _cmsFree(self ->ContextID, Offsets);
author	kcwu <kcwu@chromium.org>	2016-10-04 19:00:41 -0700
committer	Commit bot <commit-bot@chromium.org>	2016-10-04 19:00:41 -0700
commit	958e57cbe864f356140b74cbc3b70bf352187bd4 (patch)
tree	ec334c7db2f0ab35e926f19c2c7763746d99a042 /third_party/lcms2-2.6/src
parent	98c6c15abfec45648d85c73e746f0cb109a8d35b (diff)
download	pdfium-958e57cbe864f356140b74cbc3b70bf352187bd4.tar.xz