From 958e57cbe864f356140b74cbc3b70bf352187bd4 Mon Sep 17 00:00:00 2001
From: kcwu <kcwu@chromium.org>
Date: Tue, 4 Oct 2016 19:00:41 -0700
Subject: Fix cmdStageAllocMatrix parameter swap

For cmdStageAllocMatrix, InputChans is length of Matrix, OutputChans is
length of Offsets. The original code will allocate NewElem->Offset with
length Cols=InputChans (cmslut.c:417). This results in heap buffer
overflow later.

BUG=chromium:651849

Review-Url: https://codereview.chromium.org/2384063006
---
 .../lcms2-2.6/0009-cmdStageAllocMatrix-param-swap.patch     | 13 +++++++++++++
 third_party/lcms2-2.6/README.pdfium                         |  1 +
 third_party/lcms2-2.6/src/cmstypes.c                        |  2 +-
 3 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 third_party/lcms2-2.6/0009-cmdStageAllocMatrix-param-swap.patch

diff --git a/third_party/lcms2-2.6/0009-cmdStageAllocMatrix-param-swap.patch b/third_party/lcms2-2.6/0009-cmdStageAllocMatrix-param-swap.patch
new file mode 100644
index 0000000000..cb4156936d
--- /dev/null
+++ b/third_party/lcms2-2.6/0009-cmdStageAllocMatrix-param-swap.patch
@@ -0,0 +1,13 @@
+diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c
+index 15199c7..6f335d9 100644
+--- a/third_party/lcms2-2.6/src/cmstypes.c
++++ b/third_party/lcms2-2.6/src/cmstypes.c
+@@ -4225,7 +4225,7 @@ void *Type_MPEmatrix_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io
+     }
+ 
+ 
+-    mpe = cmsStageAllocMatrix(self ->ContextID, OutputChans, InputChans, Matrix, Offsets);
++    mpe = cmsStageAllocMatrix(self ->ContextID, InputChans, OutputChans, Matrix, Offsets);
+     _cmsFree(self ->ContextID, Matrix);
+     _cmsFree(self ->ContextID, Offsets);
+ 
diff --git a/third_party/lcms2-2.6/README.pdfium b/third_party/lcms2-2.6/README.pdfium
index 29479392c4..1fa3f56164 100644
--- a/third_party/lcms2-2.6/README.pdfium
+++ b/third_party/lcms2-2.6/README.pdfium
@@ -18,4 +18,5 @@ Local Modifications:
 0006-memory-leak-Type_NamedColor_Read.patch: Fix memory leak in Type_NamedColor_Read.
 0007-memory-leak-OptimizeByResampling.patch: Fix memory leak in OptimizeByResampling.
 0008-memory-leak-Type_MPEmatrix_Read.patch: Fix memory leak in MPEmatrix_Read.
+0009-cols-rows-swap.patch: Fix rows/cols swap in cmsStageAllocMatrix.
 TODO(ochang): List other patches.
diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c
index 15199c7084..6f335d9bb1 100644
--- a/third_party/lcms2-2.6/src/cmstypes.c
+++ b/third_party/lcms2-2.6/src/cmstypes.c
@@ -4225,7 +4225,7 @@ void *Type_MPEmatrix_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io
     }
 
 
-    mpe = cmsStageAllocMatrix(self ->ContextID, OutputChans, InputChans, Matrix, Offsets);
+    mpe = cmsStageAllocMatrix(self ->ContextID, InputChans, OutputChans, Matrix, Offsets);
     _cmsFree(self ->ContextID, Matrix);
     _cmsFree(self ->ContextID, Offsets);
 
-- 
cgit v1.2.3