From 4e3f2d2a00892e0ef7cd121c6397f0cbb059cf72 Mon Sep 17 00:00:00 2001 From: Nicolas Pena Date: Mon, 27 Feb 2017 16:08:20 -0500 Subject: LCMS upstream patch to fix integer overflows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch: https://github.com/mm2/Little-CMS/commit/9f427d5ff544ab1be37f485ac13b2419a1610cc3 BUG=696430 Change-Id: I20b8b4aad565d6f6aaed8c66be7e9709eec2b5ce Reviewed-on: https://pdfium-review.googlesource.com/2849 Reviewed-by: Tom Sepez Commit-Queue: Nicolás Peña --- ...-upstream-integer-overflow-MPEmatrix_Read.patch | 85 ++++++++++++++++++++++ third_party/lcms2-2.6/README.pdfium | 1 + third_party/lcms2-2.6/src/cmscgats.c | 25 ++++--- third_party/lcms2-2.6/src/cmstypes.c | 6 +- 4 files changed, 104 insertions(+), 13 deletions(-) create mode 100644 third_party/lcms2-2.6/0017-upstream-integer-overflow-MPEmatrix_Read.patch diff --git a/third_party/lcms2-2.6/0017-upstream-integer-overflow-MPEmatrix_Read.patch b/third_party/lcms2-2.6/0017-upstream-integer-overflow-MPEmatrix_Read.patch new file mode 100644 index 0000000000..47df7a887d --- /dev/null +++ b/third_party/lcms2-2.6/0017-upstream-integer-overflow-MPEmatrix_Read.patch @@ -0,0 +1,85 @@ +diff --git a/third_party/lcms2-2.6/src/cmscgats.c b/third_party/lcms2-2.6/src/cmscgats.c +index 5720c66a7..cce4cedba 100644 +--- a/third_party/lcms2-2.6/src/cmscgats.c ++++ b/third_party/lcms2-2.6/src/cmscgats.c +@@ -150,23 +150,24 @@ typedef struct { + SUBALLOCATOR Allocator; // String suballocator -- just to keep it fast + + // Parser state machine +- SYMBOL sy; // Current symbol +- int ch; // Current character ++ SYMBOL sy; // Current symbol ++ int ch; // Current character ++ ++ cmsInt32Number inum; // integer value ++ cmsFloat64Number dnum; // real value + +- int inum; // integer value +- cmsFloat64Number dnum; // real value + char id[MAXID]; // identifier + char str[MAXSTR]; // string + + // Allowed keywords & datasets. They have visibility on whole stream +- KEYVALUE* ValidKeywords; +- KEYVALUE* ValidSampleID; ++ KEYVALUE* ValidKeywords; ++ KEYVALUE* ValidSampleID; + + char* Source; // Points to loc. being parsed +- int lineno; // line counter for error reporting ++ cmsInt32Number lineno; // line counter for error reporting + + FILECTX* FileStack[MAXINCLUDE]; // Stack of files being parsed +- int IncludeSP; // Include Stack Pointer ++ cmsInt32Number IncludeSP; // Include Stack Pointer + + char* MemoryBlock; // The stream if holded in memory + +@@ -568,8 +569,8 @@ void ReadReal(cmsIT8* it8, int inum) + // Exponent, example 34.00E+20 + if (toupper(it8->ch) == 'E') { + +- int e; +- int sgn; ++ cmsInt32Number e; ++ cmsInt32Number sgn; + + NextCh(it8); sgn = 1; + +@@ -587,7 +588,7 @@ void ReadReal(cmsIT8* it8, int inum) + e = 0; + while (isdigit(it8->ch)) { + +- if ((cmsFloat64Number) e * 10L < INT_MAX) ++ if ((cmsFloat64Number) e * 10L < (cmsFloat64Number) +2147483647.0) + e = e * 10 + (it8->ch - '0'); + + NextCh(it8); +@@ -777,7 +778,7 @@ void InSymbol(cmsIT8* it8) + + while (isdigit(it8->ch)) { + +- if ((long) it8->inum * 10L > (long) INT_MAX) { ++ if ((cmsFloat64Number) it8->inum * 10L > (cmsFloat64Number) +2147483647.0) { + ReadReal(it8, it8->inum); + it8->sy = SDNUM; + it8->dnum *= sign; +diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c +index 0256e247b..75f1fae32 100644 +--- a/third_party/lcms2-2.6/src/cmstypes.c ++++ b/third_party/lcms2-2.6/src/cmstypes.c +@@ -4199,9 +4199,13 @@ void *Type_MPEmatrix_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io + if (!_cmsReadUInt16Number(io, &OutputChans)) return NULL; + + ++ // Input and output chans may be ANY (up to 0xffff), ++ // but we choose to limit to 16 channels for now ++ if (InputChans >= cmsMAXCHANNELS) return NULL; ++ if (OutputChans >= cmsMAXCHANNELS) return NULL; ++ + nElems = InputChans * OutputChans; + +- // Input and output chans may be ANY (up to 0xffff) + Matrix = (cmsFloat64Number*) _cmsCalloc(self ->ContextID, nElems, sizeof(cmsFloat64Number)); + if (Matrix == NULL) return NULL; + diff --git a/third_party/lcms2-2.6/README.pdfium b/third_party/lcms2-2.6/README.pdfium index cfa790969b..650429826c 100644 --- a/third_party/lcms2-2.6/README.pdfium +++ b/third_party/lcms2-2.6/README.pdfium @@ -28,4 +28,5 @@ Local Modifications: 0015-sanitize-float-read.patch: Sanitize floating point read. Partially backport from upstream https://github.com/mm2/Little-CMS/commit/4011a6e3 0016-check-LUT-and-MPE.patch: check LUT consistency and sanitize MPE profiles. +0017-upstream-integer-overflow-MPEmatrix_Read.patch: fix some integer overflows. TODO(ochang): List other patches. diff --git a/third_party/lcms2-2.6/src/cmscgats.c b/third_party/lcms2-2.6/src/cmscgats.c index 5720c66a74..cce4cedbad 100644 --- a/third_party/lcms2-2.6/src/cmscgats.c +++ b/third_party/lcms2-2.6/src/cmscgats.c @@ -150,23 +150,24 @@ typedef struct { SUBALLOCATOR Allocator; // String suballocator -- just to keep it fast // Parser state machine - SYMBOL sy; // Current symbol - int ch; // Current character + SYMBOL sy; // Current symbol + int ch; // Current character + + cmsInt32Number inum; // integer value + cmsFloat64Number dnum; // real value - int inum; // integer value - cmsFloat64Number dnum; // real value char id[MAXID]; // identifier char str[MAXSTR]; // string // Allowed keywords & datasets. They have visibility on whole stream - KEYVALUE* ValidKeywords; - KEYVALUE* ValidSampleID; + KEYVALUE* ValidKeywords; + KEYVALUE* ValidSampleID; char* Source; // Points to loc. being parsed - int lineno; // line counter for error reporting + cmsInt32Number lineno; // line counter for error reporting FILECTX* FileStack[MAXINCLUDE]; // Stack of files being parsed - int IncludeSP; // Include Stack Pointer + cmsInt32Number IncludeSP; // Include Stack Pointer char* MemoryBlock; // The stream if holded in memory @@ -568,8 +569,8 @@ void ReadReal(cmsIT8* it8, int inum) // Exponent, example 34.00E+20 if (toupper(it8->ch) == 'E') { - int e; - int sgn; + cmsInt32Number e; + cmsInt32Number sgn; NextCh(it8); sgn = 1; @@ -587,7 +588,7 @@ void ReadReal(cmsIT8* it8, int inum) e = 0; while (isdigit(it8->ch)) { - if ((cmsFloat64Number) e * 10L < INT_MAX) + if ((cmsFloat64Number) e * 10L < (cmsFloat64Number) +2147483647.0) e = e * 10 + (it8->ch - '0'); NextCh(it8); @@ -777,7 +778,7 @@ void InSymbol(cmsIT8* it8) while (isdigit(it8->ch)) { - if ((long) it8->inum * 10L > (long) INT_MAX) { + if ((cmsFloat64Number) it8->inum * 10L > (cmsFloat64Number) +2147483647.0) { ReadReal(it8, it8->inum); it8->sy = SDNUM; it8->dnum *= sign; diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c index 0256e247b4..75f1fae32a 100644 --- a/third_party/lcms2-2.6/src/cmstypes.c +++ b/third_party/lcms2-2.6/src/cmstypes.c @@ -4199,9 +4199,13 @@ void *Type_MPEmatrix_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io if (!_cmsReadUInt16Number(io, &OutputChans)) return NULL; + // Input and output chans may be ANY (up to 0xffff), + // but we choose to limit to 16 channels for now + if (InputChans >= cmsMAXCHANNELS) return NULL; + if (OutputChans >= cmsMAXCHANNELS) return NULL; + nElems = InputChans * OutputChans; - // Input and output chans may be ANY (up to 0xffff) Matrix = (cmsFloat64Number*) _cmsCalloc(self ->ContextID, nElems, sizeof(cmsFloat64Number)); if (Matrix == NULL) return NULL; -- cgit v1.2.3