3 files changed, 14 insertions, 0 deletions

diff --git a/third_party/lcms/0031-wrong-tag-element-count.patch b/third_party/lcms/0031-wrong-tag-element-count.patch
new file mode 100644
index 0000000000..a62bc3de6d
--- /dev/null
+++ b/third_party/lcms/0031-wrong-tag-element-count.patch
@@ -0,0 +1,12 @@
+diff --git a/third_party/lcms/src/cmsio0.c b/third_party/lcms/src/cmsio0.c
+index cc5f89064..63bbe36a8 100644
+--- a/third_party/lcms/src/cmsio0.c
++++ b/third_party/lcms/src/cmsio0.c
+@@ -1616,6 +1616,7 @@ void* CMSEXPORT cmsReadTag(cmsHPROFILE hProfile, cmsTagSignature sig)
+         _cmsTagSignature2String(String, sig);
+         cmsSignalError(Icc ->ContextID, cmsERROR_CORRUPTION_DETECTED, "'%s' Inconsistent number of items: expected %d, got %d",
+             String, TagDescriptor ->ElemCount, ElemCount);
++        goto Error;
+     }
+ 
+ 
diff --git a/third_party/lcms/README.pdfium b/third_party/lcms/README.pdfium
index 0c7dff4de2..f5ea9b1792 100644
--- a/third_party/lcms/README.pdfium
+++ b/third_party/lcms/README.pdfium
@@ -42,3 +42,4 @@ Local Modifications:
 0028-do-not-quickfloor.patch: flooring errors may cause heap-buffer-overflow.
 0029-drop-register-keyword.patch: Remove deprecated 'register' keyword.
 0030-const-data.patch: Mark many data structures as const.
+0031-wrong-tag-element-count.patch: Handle tag element count mismatch as an error.
diff --git a/third_party/lcms/src/cmsio0.c b/third_party/lcms/src/cmsio0.c
index cc5f890644..63bbe36a83 100644
--- a/third_party/lcms/src/cmsio0.c
+++ b/third_party/lcms/src/cmsio0.c
@@ -1616,6 +1616,7 @@ void* CMSEXPORT cmsReadTag(cmsHPROFILE hProfile, cmsTagSignature sig)
         _cmsTagSignature2String(String, sig);
         cmsSignalError(Icc ->ContextID, cmsERROR_CORRUPTION_DETECTED, "'%s' Inconsistent number of items: expected %d, got %d",
             String, TagDescriptor ->ElemCount, ElemCount);
+        goto Error;
     }