diff options
author | Lei Zhang <thestig@chromium.org> | 2018-08-30 20:15:34 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-08-30 20:15:34 +0000 |
commit | 81a3c2408a1fb3e3cc4b06d659cce19157ee0a91 (patch) | |
tree | 18a9d59398b2f8e36b71a3b13fe52378ec0fc49b /third_party | |
parent | 678f5418d36f553f4a908e51a3e5e3fcf5c66a16 (diff) | |
download | pdfium-81a3c2408a1fb3e3cc4b06d659cce19157ee0a91.tar.xz |
Add check on CGATS memory allocation in littlecms.
This pull in the relevant bits from upstream commit 768f70ca.
BUG=chromium:872189
Change-Id: I6a970a00ff322768cddc2825e4b6e3e12400d43d
Reviewed-on: https://pdfium-review.googlesource.com/41671
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Diffstat (limited to 'third_party')
-rw-r--r-- | third_party/lcms/0032-cgats-allocation.patch | 24 | ||||
-rw-r--r-- | third_party/lcms/README.pdfium | 1 | ||||
-rw-r--r-- | third_party/lcms/src/cmscgats.c | 12 |
3 files changed, 34 insertions, 3 deletions
diff --git a/third_party/lcms/0032-cgats-allocation.patch b/third_party/lcms/0032-cgats-allocation.patch new file mode 100644 index 0000000000..08204b53d6 --- /dev/null +++ b/third_party/lcms/0032-cgats-allocation.patch @@ -0,0 +1,24 @@ +diff --git a/third_party/lcms/src/cmscgats.c b/third_party/lcms/src/cmscgats.c +index 55f74ede8..0738a1cce 100644 +--- a/third_party/lcms/src/cmscgats.c ++++ b/third_party/lcms/src/cmscgats.c +@@ -1504,10 +1504,16 @@ void AllocateDataSet(cmsIT8* it8) + t-> nSamples = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_FIELDS")); + t-> nPatches = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_SETS")); + +- t-> Data = (char**)AllocChunk (it8, ((cmsUInt32Number) t->nSamples + 1) * ((cmsUInt32Number) t->nPatches + 1) *sizeof (char*)); +- if (t->Data == NULL) { ++ if (t -> nSamples < 0 || t->nSamples > 0x7ffe || t->nPatches < 0 || t->nPatches > 0x7ffe) ++ { ++ SynError(it8, "AllocateDataSet: too much data"); ++ } ++ else { ++ t->Data = (char**)AllocChunk(it8, ((cmsUInt32Number)t->nSamples + 1) * ((cmsUInt32Number)t->nPatches + 1) * sizeof(char*)); ++ if (t->Data == NULL) { + +- SynError(it8, "AllocateDataSet: Unable to allocate data array"); ++ SynError(it8, "AllocateDataSet: Unable to allocate data array"); ++ } + } + + } diff --git a/third_party/lcms/README.pdfium b/third_party/lcms/README.pdfium index f5ea9b1792..1a096c86d5 100644 --- a/third_party/lcms/README.pdfium +++ b/third_party/lcms/README.pdfium @@ -43,3 +43,4 @@ Local Modifications: 0029-drop-register-keyword.patch: Remove deprecated 'register' keyword. 0030-const-data.patch: Mark many data structures as const. 0031-wrong-tag-element-count.patch: Handle tag element count mismatch as an error. +0032-cgats-allocation.patch: Add check on CGATS memory allocation. diff --git a/third_party/lcms/src/cmscgats.c b/third_party/lcms/src/cmscgats.c index 55f74ede8b..0738a1cce3 100644 --- a/third_party/lcms/src/cmscgats.c +++ b/third_party/lcms/src/cmscgats.c @@ -1504,10 +1504,16 @@ void AllocateDataSet(cmsIT8* it8) t-> nSamples = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_FIELDS")); t-> nPatches = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_SETS")); - t-> Data = (char**)AllocChunk (it8, ((cmsUInt32Number) t->nSamples + 1) * ((cmsUInt32Number) t->nPatches + 1) *sizeof (char*)); - if (t->Data == NULL) { + if (t -> nSamples < 0 || t->nSamples > 0x7ffe || t->nPatches < 0 || t->nPatches > 0x7ffe) + { + SynError(it8, "AllocateDataSet: too much data"); + } + else { + t->Data = (char**)AllocChunk(it8, ((cmsUInt32Number)t->nSamples + 1) * ((cmsUInt32Number)t->nPatches + 1) * sizeof(char*)); + if (t->Data == NULL) { - SynError(it8, "AllocateDataSet: Unable to allocate data array"); + SynError(it8, "AllocateDataSet: Unable to allocate data array"); + } } } |