diff options
| -rw-r--r-- | third_party/lcms2-2.6/0018-verify-size-before-reading.patch | 17 | ||||
| -rw-r--r-- | third_party/lcms2-2.6/README.pdfium | 2 | ||||
| -rw-r--r-- | third_party/lcms2-2.6/src/cmstypes.c | 6 |
3 files changed, 25 insertions, 0 deletions
diff --git a/third_party/lcms2-2.6/0018-verify-size-before-reading.patch b/third_party/lcms2-2.6/0018-verify-size-before-reading.patch new file mode 100644 index 0000000000..fa666e7f0c --- /dev/null +++ b/third_party/lcms2-2.6/0018-verify-size-before-reading.patch @@ -0,0 +1,17 @@ +diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c +index 75f1fae32..4d96a1ed6 100644 +--- a/third_party/lcms2-2.6/src/cmstypes.c ++++ b/third_party/lcms2-2.6/src/cmstypes.c +@@ -173,6 +173,12 @@ cmsBool ReadPositionTable(struct _cms_typehandler_struct* self, + { + cmsUInt32Number i; + cmsUInt32Number *ElementOffsets = NULL, *ElementSizes = NULL; ++ cmsUInt32Number currentPosition; ++ ++ currentPosition = io->Tell(io); ++ // Verify there is enough space left to read two cmsUInt32Number items for Count items. ++ if (((io->ReportedSize - currentPosition) / (2 * sizeof(cmsUInt32Number))) < Count) ++ return FALSE; + + // Let's take the offsets to each element + ElementOffsets = (cmsUInt32Number *) _cmsCalloc(io ->ContextID, Count, sizeof(cmsUInt32Number)); diff --git a/third_party/lcms2-2.6/README.pdfium b/third_party/lcms2-2.6/README.pdfium index 650429826c..78c150d70f 100644 --- a/third_party/lcms2-2.6/README.pdfium +++ b/third_party/lcms2-2.6/README.pdfium @@ -29,4 +29,6 @@ Local Modifications: from upstream https://github.com/mm2/Little-CMS/commit/4011a6e3 0016-check-LUT-and-MPE.patch: check LUT consistency and sanitize MPE profiles. 0017-upstream-integer-overflow-MPEmatrix_Read.patch: fix some integer overflows. +0018-verify-size-before-reading.patch: fix OOM issue when there won't be enough + data to read anyway. TODO(ochang): List other patches. diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c index 75f1fae32a..4d96a1ed6b 100644 --- a/third_party/lcms2-2.6/src/cmstypes.c +++ b/third_party/lcms2-2.6/src/cmstypes.c @@ -173,6 +173,12 @@ cmsBool ReadPositionTable(struct _cms_typehandler_struct* self, { cmsUInt32Number i; cmsUInt32Number *ElementOffsets = NULL, *ElementSizes = NULL; + cmsUInt32Number currentPosition; + + currentPosition = io->Tell(io); + // Verify there is enough space left to read two cmsUInt32Number items for Count items. + if (((io->ReportedSize - currentPosition) / (2 * sizeof(cmsUInt32Number))) < Count) + return FALSE; // Let's take the offsets to each element ElementOffsets = (cmsUInt32Number *) _cmsCalloc(io ->ContextID, Count, sizeof(cmsUInt32Number)); |