summaryrefslogtreecommitdiff
path: root/third_party/lcms
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/lcms')
-rw-r--r--third_party/lcms/0032-cgats-allocation.patch24
-rw-r--r--third_party/lcms/README.pdfium1
-rw-r--r--third_party/lcms/src/cmscgats.c12
3 files changed, 34 insertions, 3 deletions
diff --git a/third_party/lcms/0032-cgats-allocation.patch b/third_party/lcms/0032-cgats-allocation.patch
new file mode 100644
index 0000000000..08204b53d6
--- /dev/null
+++ b/third_party/lcms/0032-cgats-allocation.patch
@@ -0,0 +1,24 @@
+diff --git a/third_party/lcms/src/cmscgats.c b/third_party/lcms/src/cmscgats.c
+index 55f74ede8..0738a1cce 100644
+--- a/third_party/lcms/src/cmscgats.c
++++ b/third_party/lcms/src/cmscgats.c
+@@ -1504,10 +1504,16 @@ void AllocateDataSet(cmsIT8* it8)
+ t-> nSamples = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_FIELDS"));
+ t-> nPatches = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_SETS"));
+
+- t-> Data = (char**)AllocChunk (it8, ((cmsUInt32Number) t->nSamples + 1) * ((cmsUInt32Number) t->nPatches + 1) *sizeof (char*));
+- if (t->Data == NULL) {
++ if (t -> nSamples < 0 || t->nSamples > 0x7ffe || t->nPatches < 0 || t->nPatches > 0x7ffe)
++ {
++ SynError(it8, "AllocateDataSet: too much data");
++ }
++ else {
++ t->Data = (char**)AllocChunk(it8, ((cmsUInt32Number)t->nSamples + 1) * ((cmsUInt32Number)t->nPatches + 1) * sizeof(char*));
++ if (t->Data == NULL) {
+
+- SynError(it8, "AllocateDataSet: Unable to allocate data array");
++ SynError(it8, "AllocateDataSet: Unable to allocate data array");
++ }
+ }
+
+ }
diff --git a/third_party/lcms/README.pdfium b/third_party/lcms/README.pdfium
index f5ea9b1792..1a096c86d5 100644
--- a/third_party/lcms/README.pdfium
+++ b/third_party/lcms/README.pdfium
@@ -43,3 +43,4 @@ Local Modifications:
0029-drop-register-keyword.patch: Remove deprecated 'register' keyword.
0030-const-data.patch: Mark many data structures as const.
0031-wrong-tag-element-count.patch: Handle tag element count mismatch as an error.
+0032-cgats-allocation.patch: Add check on CGATS memory allocation.
diff --git a/third_party/lcms/src/cmscgats.c b/third_party/lcms/src/cmscgats.c
index 55f74ede8b..0738a1cce3 100644
--- a/third_party/lcms/src/cmscgats.c
+++ b/third_party/lcms/src/cmscgats.c
@@ -1504,10 +1504,16 @@ void AllocateDataSet(cmsIT8* it8)
t-> nSamples = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_FIELDS"));
t-> nPatches = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_SETS"));
- t-> Data = (char**)AllocChunk (it8, ((cmsUInt32Number) t->nSamples + 1) * ((cmsUInt32Number) t->nPatches + 1) *sizeof (char*));
- if (t->Data == NULL) {
+ if (t -> nSamples < 0 || t->nSamples > 0x7ffe || t->nPatches < 0 || t->nPatches > 0x7ffe)
+ {
+ SynError(it8, "AllocateDataSet: too much data");
+ }
+ else {
+ t->Data = (char**)AllocChunk(it8, ((cmsUInt32Number)t->nSamples + 1) * ((cmsUInt32Number)t->nPatches + 1) * sizeof(char*));
+ if (t->Data == NULL) {
- SynError(it8, "AllocateDataSet: Unable to allocate data array");
+ SynError(it8, "AllocateDataSet: Unable to allocate data array");
+ }
}
}