summaryrefslogtreecommitdiff
path: root/third_party
diff options
context:
space:
mode:
Diffstat (limited to 'third_party')
-rw-r--r--third_party/lcms2-2.6/0018-verify-size-before-reading.patch17
-rw-r--r--third_party/lcms2-2.6/README.pdfium2
-rw-r--r--third_party/lcms2-2.6/src/cmstypes.c6
3 files changed, 25 insertions, 0 deletions
diff --git a/third_party/lcms2-2.6/0018-verify-size-before-reading.patch b/third_party/lcms2-2.6/0018-verify-size-before-reading.patch
new file mode 100644
index 0000000000..fa666e7f0c
--- /dev/null
+++ b/third_party/lcms2-2.6/0018-verify-size-before-reading.patch
@@ -0,0 +1,17 @@
+diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c
+index 75f1fae32..4d96a1ed6 100644
+--- a/third_party/lcms2-2.6/src/cmstypes.c
++++ b/third_party/lcms2-2.6/src/cmstypes.c
+@@ -173,6 +173,12 @@ cmsBool ReadPositionTable(struct _cms_typehandler_struct* self,
+ {
+ cmsUInt32Number i;
+ cmsUInt32Number *ElementOffsets = NULL, *ElementSizes = NULL;
++ cmsUInt32Number currentPosition;
++
++ currentPosition = io->Tell(io);
++ // Verify there is enough space left to read two cmsUInt32Number items for Count items.
++ if (((io->ReportedSize - currentPosition) / (2 * sizeof(cmsUInt32Number))) < Count)
++ return FALSE;
+
+ // Let's take the offsets to each element
+ ElementOffsets = (cmsUInt32Number *) _cmsCalloc(io ->ContextID, Count, sizeof(cmsUInt32Number));
diff --git a/third_party/lcms2-2.6/README.pdfium b/third_party/lcms2-2.6/README.pdfium
index 650429826c..78c150d70f 100644
--- a/third_party/lcms2-2.6/README.pdfium
+++ b/third_party/lcms2-2.6/README.pdfium
@@ -29,4 +29,6 @@ Local Modifications:
from upstream https://github.com/mm2/Little-CMS/commit/4011a6e3
0016-check-LUT-and-MPE.patch: check LUT consistency and sanitize MPE profiles.
0017-upstream-integer-overflow-MPEmatrix_Read.patch: fix some integer overflows.
+0018-verify-size-before-reading.patch: fix OOM issue when there won't be enough
+ data to read anyway.
TODO(ochang): List other patches.
diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c
index 75f1fae32a..4d96a1ed6b 100644
--- a/third_party/lcms2-2.6/src/cmstypes.c
+++ b/third_party/lcms2-2.6/src/cmstypes.c
@@ -173,6 +173,12 @@ cmsBool ReadPositionTable(struct _cms_typehandler_struct* self,
{
cmsUInt32Number i;
cmsUInt32Number *ElementOffsets = NULL, *ElementSizes = NULL;
+ cmsUInt32Number currentPosition;
+
+ currentPosition = io->Tell(io);
+ // Verify there is enough space left to read two cmsUInt32Number items for Count items.
+ if (((io->ReportedSize - currentPosition) / (2 * sizeof(cmsUInt32Number))) < Count)
+ return FALSE;
// Let's take the offsets to each element
ElementOffsets = (cmsUInt32Number *) _cmsCalloc(io ->ContextID, Count, sizeof(cmsUInt32Number));
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-02 21:34:05 +0000