[LCMS] Upstream direct leak fix

This CL applies the following upstream patch:
https://github.com/mm2/Little-CMS/commit/02c95fa76bdc4f73113373070278666f47aff82f

Bug: chromium:718500
Change-Id: I7898b22e44a5ea5c0d1c301233037fbaabb8e327
Reviewed-on: https://pdfium-review.googlesource.com/5092
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>

3 files changed, 40 insertions, 7 deletions

diff --git a/third_party/lcms2-2.6/0019-upstream-direct-leak-Type_MPE_Read.patch b/third_party/lcms2-2.6/0019-upstream-direct-leak-Type_MPE_Read.patch
new file mode 100644
index 0000000000..7a2f2788b0
--- /dev/null
+++ b/third_party/lcms2-2.6/0019-upstream-direct-leak-Type_MPE_Read.patch
@@ -0,0 +1,31 @@
+diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c
+index 75f1fae32..f92a92822 100644
+--- a/third_party/lcms2-2.6/src/cmstypes.c
++++ b/third_party/lcms2-2.6/src/cmstypes.c
+@@ -4460,18 +4460,19 @@ void *Type_MPE_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU
+     NewLUT = cmsPipelineAlloc(self ->ContextID, InputChans, OutputChans);
+     if (NewLUT == NULL) return NULL;
+ 
+-    if (!_cmsReadUInt32Number(io, &ElementCount)) return NULL;
+-
+-    if (!ReadPositionTable(self, io, ElementCount, BaseOffset, NewLUT, ReadMPEElem)) {
+-        if (NewLUT != NULL) cmsPipelineFree(NewLUT);
+-        *nItems = 0;
+-        return NULL;
+-    }
++    if (!_cmsReadUInt32Number(io, &ElementCount)) goto Error;
++    if (!ReadPositionTable(self, io, ElementCount, BaseOffset, NewLUT, ReadMPEElem)) goto Error;
+ 
+     // Success
+     *nItems = 1;
+     return NewLUT;
+ 
++    // Error
++Error:
++    if (NewLUT != NULL) cmsPipelineFree(NewLUT);
++    *nItems = 0;
++    return NULL;
++
+     cmsUNUSED_PARAMETER(SizeOfTag);
+ }
+ 
diff --git a/third_party/lcms2-2.6/README.pdfium b/third_party/lcms2-2.6/README.pdfium
index 78c150d70f..94dc67a7e3 100644
--- a/third_party/lcms2-2.6/README.pdfium
+++ b/third_party/lcms2-2.6/README.pdfium
@@ -31,4 +31,5 @@ Local Modifications:
 0017-upstream-integer-overflow-MPEmatrix_Read.patch: fix some integer overflows.
 0018-verify-size-before-reading.patch: fix OOM issue when there won't be enough
     data to read anyway.
+0019-upstream-direct-leak-Type_MPE_Read.patch: fix leak in cmstypes.c.
 TODO(ochang): List other patches.
diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c
index 4d96a1ed6b..29806fb194 100644
--- a/third_party/lcms2-2.6/src/cmstypes.c
+++ b/third_party/lcms2-2.6/src/cmstypes.c
@@ -4466,18 +4466,19 @@ void *Type_MPE_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU
     NewLUT = cmsPipelineAlloc(self ->ContextID, InputChans, OutputChans);
     if (NewLUT == NULL) return NULL;
 
-    if (!_cmsReadUInt32Number(io, &ElementCount)) return NULL;
-
-    if (!ReadPositionTable(self, io, ElementCount, BaseOffset, NewLUT, ReadMPEElem)) {
-        if (NewLUT != NULL) cmsPipelineFree(NewLUT);
-        *nItems = 0;
-        return NULL;
-    }
+    if (!_cmsReadUInt32Number(io, &ElementCount)) goto Error;
+    if (!ReadPositionTable(self, io, ElementCount, BaseOffset, NewLUT, ReadMPEElem)) goto Error;
 
     // Success
     *nItems = 1;
     return NewLUT;
 
+    // Error
+Error:
+    if (NewLUT != NULL) cmsPipelineFree(NewLUT);
+    *nItems = 0;
+    return NULL;
+
     cmsUNUSED_PARAMETER(SizeOfTag);
 }