diff options
| author | Lei Zhang <thestig@chromium.org> | 2016-10-31 14:07:00 -0700 |
|---|---|---|
| committer | Lei Zhang <thestig@chromium.org> | 2016-10-31 14:07:00 -0700 |
| commit | 21df30a9d215d11f58e6d36223612679606e4b9c (patch) | |
| tree | 669949baee7663e414d9ed93073025c922a7bd98 /third_party | |
| parent | 7b6a64898780a25b27562f69f3bb572442058586 (diff) | |
| download | pdfium-21df30a9d215d11f58e6d36223612679606e4b9c.tar.xz | |
M55: lcms: reject NaN when reading float numbers
LerpFloat functions expect input values are normal float. They first
clamp values to the range of [0.0, 1.0] and then calculate interpolation
with the input values.
If the input value is NaN, it will lead to heap buffer overflow because
the index to LutTable is calculated based on the said value and
fclamp(NaN) is not in expected [0.0, 1.0] range.
This patch rejects all NaN values earlier when reading float numbers. So
it also changed behavior for cases other than LerpFloat. I think it is
okay because NaN doesn't make sense for usual calculations.
BUG=654676
Review-Url: https://codereview.chromium.org/2422553002
(cherry picked from commit 85fcf94eeae589641213c4301bbb16b44b10a282)
Review URL: https://codereview.chromium.org/2462243002 .
Diffstat (limited to 'third_party')
| -rw-r--r-- | third_party/lcms2-2.6/0010-reject-nan.patch | 13 | ||||
| -rw-r--r-- | third_party/lcms2-2.6/README.pdfium | 1 | ||||
| -rw-r--r-- | third_party/lcms2-2.6/src/cmsplugin.c | 2 |
3 files changed, 16 insertions, 0 deletions
diff --git a/third_party/lcms2-2.6/0010-reject-nan.patch b/third_party/lcms2-2.6/0010-reject-nan.patch new file mode 100644 index 0000000000..2cf49ca0f7 --- /dev/null +++ b/third_party/lcms2-2.6/0010-reject-nan.patch @@ -0,0 +1,13 @@ +diff --git a/third_party/lcms2-2.6/src/cmsplugin.c b/third_party/lcms2-2.6/src/cmsplugin.c +index 8903d2b..b95befb 100644 +--- a/third_party/lcms2-2.6/src/cmsplugin.c ++++ b/third_party/lcms2-2.6/src/cmsplugin.c +@@ -179,6 +179,8 @@ cmsBool CMSEXPORT _cmsReadFloat32Number(cmsIOHANDLER* io, cmsFloat32Number* n) + + tmp = _cmsAdjustEndianess32(tmp); + *n = *(cmsFloat32Number*) &tmp; ++ if (isnan(*n)) ++ return FALSE; + } + return TRUE; + } diff --git a/third_party/lcms2-2.6/README.pdfium b/third_party/lcms2-2.6/README.pdfium index 1fa3f56164..5a9497dbf8 100644 --- a/third_party/lcms2-2.6/README.pdfium +++ b/third_party/lcms2-2.6/README.pdfium @@ -19,4 +19,5 @@ Local Modifications: 0007-memory-leak-OptimizeByResampling.patch: Fix memory leak in OptimizeByResampling. 0008-memory-leak-Type_MPEmatrix_Read.patch: Fix memory leak in MPEmatrix_Read. 0009-cols-rows-swap.patch: Fix rows/cols swap in cmsStageAllocMatrix. +0010-reject-nan.patch: Reject NaN when reading float numbers. TODO(ochang): List other patches. diff --git a/third_party/lcms2-2.6/src/cmsplugin.c b/third_party/lcms2-2.6/src/cmsplugin.c index 8903d2bd61..b95befbd96 100644 --- a/third_party/lcms2-2.6/src/cmsplugin.c +++ b/third_party/lcms2-2.6/src/cmsplugin.c @@ -179,6 +179,8 @@ cmsBool CMSEXPORT _cmsReadFloat32Number(cmsIOHANDLER* io, cmsFloat32Number* n) tmp = _cmsAdjustEndianess32(tmp); *n = *(cmsFloat32Number*) &tmp; + if (isnan(*n)) + return FALSE; } return TRUE; } |