From 175a8588f4290df8ec32d697c0248eb5c6b2c396 Mon Sep 17 00:00:00 2001 From: Nicolas Pena Date: Tue, 22 Aug 2017 11:01:51 -0400 Subject: Do not QuickFloor on cmsintrp MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In this CL, the flag CMS_DONT_USE_FAST_FLOOR is set to true because quickfloor could cause heap-buffer-overflow due to flooring errors. In the testcase for the bug, Input[2] is a number very close but smaller than 1 such that quickfloor returned 1 (whereas Input[2] >= 1.0 was false). Bug: chromium:752725 Change-Id: Ibb1763aa120a600e86602f1a46c4cd6d0d6bebd5 Reviewed-on: https://pdfium-review.googlesource.com/11310 Reviewed-by: Tom Sepez Reviewed-by: dsinclair Commit-Queue: Nicolás Peña --- third_party/lcms/0028-do-not-quickfloor.patch | 13 +++++++++++++ third_party/lcms/README.pdfium | 1 + third_party/lcms/include/lcms2.h | 2 +- 3 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 third_party/lcms/0028-do-not-quickfloor.patch diff --git a/third_party/lcms/0028-do-not-quickfloor.patch b/third_party/lcms/0028-do-not-quickfloor.patch new file mode 100644 index 0000000000..598917a939 --- /dev/null +++ b/third_party/lcms/0028-do-not-quickfloor.patch @@ -0,0 +1,13 @@ +diff --git a/third_party/lcms/include/lcms2.h b/third_party/lcms/include/lcms2.h +index 739e6e1f8..c84a4fd93 100644 +--- a/third_party/lcms/include/lcms2.h ++++ b/third_party/lcms/include/lcms2.h +@@ -38,7 +38,7 @@ + // #define CMS_DONT_USE_INT64 1 + + // Uncomment this if your compiler doesn't work with fast floor function +-// #define CMS_DONT_USE_FAST_FLOOR 1 ++#define CMS_DONT_USE_FAST_FLOOR 1 + + // Uncomment this line if you want lcms to use the black point tag in profile, + // if commented, lcms will compute the black point by its own. diff --git a/third_party/lcms/README.pdfium b/third_party/lcms/README.pdfium index 3167130c56..f8fe7e749e 100644 --- a/third_party/lcms/README.pdfium +++ b/third_party/lcms/README.pdfium @@ -39,3 +39,4 @@ Local Modifications: 0025-upstream-direct-leak-Type_MPE_Read.patch: fix leak in cmstypes.c. 0026-more-unsupported-characters.patch: remove other unsupported characters. 0027-changes-from-beginning-of-time.patch: commented changes from initial commit. +0028-do-not-quickfloor.patch: flooring errors may cause heap-buffer-overflow. diff --git a/third_party/lcms/include/lcms2.h b/third_party/lcms/include/lcms2.h index 739e6e1f82..c84a4fd937 100644 --- a/third_party/lcms/include/lcms2.h +++ b/third_party/lcms/include/lcms2.h @@ -38,7 +38,7 @@ // #define CMS_DONT_USE_INT64 1 // Uncomment this if your compiler doesn't work with fast floor function -// #define CMS_DONT_USE_FAST_FLOOR 1 +#define CMS_DONT_USE_FAST_FLOOR 1 // Uncomment this line if you want lcms to use the black point tag in profile, // if commented, lcms will compute the black point by its own. -- cgit v1.2.3