[lcms] Verify enough data to service request before allocating

If the count of items is large enough, there maybe not enough data in the file to read. This Cl verifies we'll have enough data before attempting to allocate the memory to store the results. Bug: chromium:718504 Change-Id: I82e7df3511e529c4bd72a772e9d6e607a0615927 Reviewed-on: https://pdfium-review.googlesource.com/5110 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org>
author: Dan Sinclair <dsinclair@chromium.org> 2017-05-08 14:22:48 -0400
committer: Chromium commit bot <commit-bot@chromium.org> 2017-05-08 18:50:02 +0000
commit: 852fb12d554abbbda65bbbf3720117a0aad5a9c9 (patch)
tree: 91ca7aeef1abce294b1fde8e1da19e153803ea31 /third_party
parent: 486f141ed1fa5b92f59d403c4b549ede2ea1a2c8 (diff)
download: pdfium-852fb12d554abbbda65bbbf3720117a0aad5a9c9.tar.xz
3 files changed, 25 insertions, 0 deletions
diff --git a/third_party/lcms2-2.6/0018-verify-size-before-reading.patch b/third_party/lcms2-2.6/0018-verify-size-before-reading.patch
new file mode 100644
index 0000000000..fa666e7f0c
--- /dev/null
+++ b/third_party/lcms2-2.6/0018-verify-size-before-reading.patch
@@ -0,0 +1,17 @@
+diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c
+index 75f1fae32..4d96a1ed6 100644
+--- a/third_party/lcms2-2.6/src/cmstypes.c
++++ b/third_party/lcms2-2.6/src/cmstypes.c
+@@ -173,6 +173,12 @@ cmsBool ReadPositionTable(struct _cms_typehandler_struct* self,
+ {
+     cmsUInt32Number i;
+     cmsUInt32Number *ElementOffsets = NULL, *ElementSizes = NULL;
++    cmsUInt32Number currentPosition;
++
++    currentPosition = io->Tell(io);
++    // Verify there is enough space left to read two cmsUInt32Number items for Count items.
++    if (((io->ReportedSize - currentPosition) / (2 * sizeof(cmsUInt32Number))) < Count)
++        return FALSE;
+ 
+     // Let's take the offsets to each element
+     ElementOffsets = (cmsUInt32Number *) _cmsCalloc(io ->ContextID, Count, sizeof(cmsUInt32Number));
diff --git a/third_party/lcms2-2.6/README.pdfium b/third_party/lcms2-2.6/README.pdfium
index 650429826c..78c150d70f 100644
--- a/third_party/lcms2-2.6/README.pdfium
+++ b/third_party/lcms2-2.6/README.pdfium
@@ -29,4 +29,6 @@ Local Modifications:
     from upstream https://github.com/mm2/Little-CMS/commit/4011a6e3
 0016-check-LUT-and-MPE.patch: check LUT consistency and sanitize MPE profiles.
 0017-upstream-integer-overflow-MPEmatrix_Read.patch: fix some integer overflows.
+0018-verify-size-before-reading.patch: fix OOM issue when there won't be enough
+    data to read anyway.
 TODO(ochang): List other patches.
diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c
index 75f1fae32a..4d96a1ed6b 100644
--- a/third_party/lcms2-2.6/src/cmstypes.c
+++ b/third_party/lcms2-2.6/src/cmstypes.c
@@ -173,6 +173,12 @@ cmsBool ReadPositionTable(struct _cms_typehandler_struct* self,
 {
     cmsUInt32Number i;
     cmsUInt32Number *ElementOffsets = NULL, *ElementSizes = NULL;
+    cmsUInt32Number currentPosition;
+
+    currentPosition = io->Tell(io);
+    // Verify there is enough space left to read two cmsUInt32Number items for Count items.
+    if (((io->ReportedSize - currentPosition) / (2 * sizeof(cmsUInt32Number))) < Count)
+        return FALSE;
 
     // Let's take the offsets to each element
     ElementOffsets = (cmsUInt32Number *) _cmsCalloc(io ->ContextID, Count, sizeof(cmsUInt32Number));
author	Dan Sinclair <dsinclair@chromium.org>	2017-05-08 14:22:48 -0400
committer	Chromium commit bot <commit-bot@chromium.org>	2017-05-08 18:50:02 +0000
commit	852fb12d554abbbda65bbbf3720117a0aad5a9c9 (patch)
tree	91ca7aeef1abce294b1fde8e1da19e153803ea31 /third_party
parent	486f141ed1fa5b92f59d403c4b549ede2ea1a2c8 (diff)
download	pdfium-852fb12d554abbbda65bbbf3720117a0aad5a9c9.tar.xz