From 81a3c2408a1fb3e3cc4b06d659cce19157ee0a91 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Thu, 30 Aug 2018 20:15:34 +0000
Subject: Add check on CGATS memory allocation in littlecms.

This pull in the relevant bits from upstream commit 768f70ca.

BUG=chromium:872189

Change-Id: I6a970a00ff322768cddc2825e4b6e3e12400d43d
Reviewed-on: https://pdfium-review.googlesource.com/41671
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
---
 third_party/lcms/src/cmscgats.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

(limited to 'third_party/lcms/src/cmscgats.c')

diff --git a/third_party/lcms/src/cmscgats.c b/third_party/lcms/src/cmscgats.c
index 55f74ede8b..0738a1cce3 100644
--- a/third_party/lcms/src/cmscgats.c
+++ b/third_party/lcms/src/cmscgats.c
@@ -1504,10 +1504,16 @@ void AllocateDataSet(cmsIT8* it8)
     t-> nSamples   = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_FIELDS"));
     t-> nPatches   = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_SETS"));
 
-    t-> Data = (char**)AllocChunk (it8, ((cmsUInt32Number) t->nSamples + 1) * ((cmsUInt32Number) t->nPatches + 1) *sizeof (char*));
-    if (t->Data == NULL) {
+    if (t -> nSamples < 0 || t->nSamples > 0x7ffe || t->nPatches < 0 || t->nPatches > 0x7ffe)
+    {
+        SynError(it8, "AllocateDataSet: too much data");
+    }
+    else {
+        t->Data = (char**)AllocChunk(it8, ((cmsUInt32Number)t->nSamples + 1) * ((cmsUInt32Number)t->nPatches + 1) * sizeof(char*));
+        if (t->Data == NULL) {
 
-        SynError(it8, "AllocateDataSet: Unable to allocate data array");
+            SynError(it8, "AllocateDataSet: Unable to allocate data array");
+        }
     }
 
 }
-- 
cgit v1.2.3