Age | Commit message (Collapse) | Author |
|
This CL applies the following upstream patch:
https://github.com/mm2/Little-CMS/commit/02c95fa76bdc4f73113373070278666f47aff82f
Bug: chromium:718500
Change-Id: I7898b22e44a5ea5c0d1c301233037fbaabb8e327
Reviewed-on: https://pdfium-review.googlesource.com/5092
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
|
|
If the count of items is large enough, there maybe not enough data in
the file to read. This Cl verifies we'll have enough data before
attempting to allocate the memory to store the results.
Bug: chromium:718504
Change-Id: I82e7df3511e529c4bd72a772e9d6e607a0615927
Reviewed-on: https://pdfium-review.googlesource.com/5110
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
|
|
Patch:
https://github.com/mm2/Little-CMS/commit/9f427d5ff544ab1be37f485ac13b2419a1610cc3
BUG=696430
Change-Id: I20b8b4aad565d6f6aaed8c66be7e9709eec2b5ce
Reviewed-on: https://pdfium-review.googlesource.com/2849
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
|
|
Patch that fixes LUT consistency:
https://github.com/mm2/Little-CMS/commit/9936ecf0745002cea8e46dc575079b4872e9af8c
Patch that sanitizes MPE profiles:
https://github.com/mm2/Little-CMS/commit/06662a755525586223efe1790da1497d5b2d9e67
BUG=675617
Change-Id: I9ccc4158432387360dcb358e2a015a9434df46e4
Reviewed-on: https://pdfium-review.googlesource.com/2820
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
|
|
This is partially backported from upstream
https://github.com/mm2/Little-CMS/commit/4011a6e3
BUG=chromium:665054
Review-Url: https://codereview.chromium.org/2577963007
|
|
BUG=chromium:666705
Review-Url: https://codereview.chromium.org/2538703002
|
|
The diff isn't well displayed in Rietveld, and I had to do some interpretation
here, as it wasn't clear what code page these files were pretending to use.
The left quotes were 0x92, the right quote + \n had been converted to ?, and
the negative infinity was 0x96. (I assume maybe Mac something.)
In any case, I tried to interpret the comments and make them something sensible.
In the worst case, it's "only" comments that are broken, as no actual code was
modified.
R=tsepez@chromium.org, brucedawson@chroium.org
BUG=637203,454858
Review URL: https://codereview.chromium.org/2545593002 .
|
|
This fixed several issues.
BUG=chromium:654265,chromium:657282,chromium:654676,chromium:654313
Review-Url: https://codereview.chromium.org/2482523003
|
|
BUG=chromium:658223
Review-Url: https://codereview.chromium.org/2480013002
|
|
Also fixed wrong patch file name.
This is fixup of 958e57cb and d2023170
TEST=apply this change in lcms' repo and make check
BUG=chromium:651849,chromium:654198
Review-Url: https://codereview.chromium.org/2424803002
|
|
LerpFloat functions expect input values are normal float. They first
clamp values to the range of [0.0, 1.0] and then calculate interpolation
with the input values.
If the input value is NaN, it will lead to heap buffer overflow because
the index to LutTable is calculated based on the said value and
fclamp(NaN) is not in expected [0.0, 1.0] range.
This patch rejects all NaN values earlier when reading float numbers. So
it also changed behavior for cases other than LerpFloat. I think it is
okay because NaN doesn't make sense for usual calculations.
BUG=654676
Review-Url: https://codereview.chromium.org/2422553002
|
|
For cmdStageAllocMatrix, InputChans is length of Matrix, OutputChans is
length of Offsets. The original code will allocate NewElem->Offset with
length Cols=InputChans (cmslut.c:417). This results in heap buffer
overflow later.
BUG=chromium:651849
Review-Url: https://codereview.chromium.org/2384063006
|
|
BUG=650277
Review-Url: https://codereview.chromium.org/2371723003
|
|
found by libfuzzer
Review-Url: https://codereview.chromium.org/2359243003
|
|
Found by libfuzzer
Review-Url: https://codereview.chromium.org/2362813002
|
|
Handle the case that GrowNamedColorList return fail when list is too
long. Otherwise the loop never ends.
Found by libfuzzer
Review-Url: https://codereview.chromium.org/2365663002
|
|
Cherry-picked from upstream commit 6da55e0b51124b795b707d318c0e03252222ba06
BUG=chromium:616253
Review-Url: https://codereview.chromium.org/2034123003
|
|
R=tsepez@chromium.org
BUG=584223
Review URL: https://codereview.chromium.org/1672163002 .
|