From e3f237740fd8bea50b4a6f37f56455dfa0328546 Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Wed, 22 Feb 2017 12:00:58 -0500
Subject: lcms upstream patches to fix security bug

Patch that fixes LUT consistency:
https://github.com/mm2/Little-CMS/commit/9936ecf0745002cea8e46dc575079b4872e9af8c
Patch that sanitizes MPE profiles:
https://github.com/mm2/Little-CMS/commit/06662a755525586223efe1790da1497d5b2d9e67

BUG=675617

Change-Id: I9ccc4158432387360dcb358e2a015a9434df46e4
Reviewed-on: https://pdfium-review.googlesource.com/2820
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
---
 third_party/lcms2-2.6/0016-check-LUT-and-MPE.patch | 170 +++++++++++++++++++++
 1 file changed, 170 insertions(+)
 create mode 100644 third_party/lcms2-2.6/0016-check-LUT-and-MPE.patch

(limited to 'third_party/lcms2-2.6/0016-check-LUT-and-MPE.patch')

diff --git a/third_party/lcms2-2.6/0016-check-LUT-and-MPE.patch b/third_party/lcms2-2.6/0016-check-LUT-and-MPE.patch
new file mode 100644
index 0000000000..bfa84e2eed
--- /dev/null
+++ b/third_party/lcms2-2.6/0016-check-LUT-and-MPE.patch
@@ -0,0 +1,170 @@
+diff --git a/third_party/lcms2-2.6/src/cmslut.c b/third_party/lcms2-2.6/src/cmslut.c
+index 9b0eb4b54..19d43361f 100644
+--- a/third_party/lcms2-2.6/src/cmslut.c
++++ b/third_party/lcms2-2.6/src/cmslut.c
+@@ -1255,21 +1255,39 @@ cmsStage* CMSEXPORT cmsStageDup(cmsStage* mpe)
+ // ***********************************************************************************************************
+ 
+ // This function sets up the channel count
+-
+ static
+-void BlessLUT(cmsPipeline* lut)
++cmsBool BlessLUT(cmsPipeline* lut)
+ {
+     // We can set the input/ouput channels only if we have elements.
+     if (lut ->Elements != NULL) {
+ 
+-        cmsStage *First, *Last;
++        cmsStage* prev;
++        cmsStage* next;
++        cmsStage* First;
++        cmsStage* Last;
+ 
+         First  = cmsPipelineGetPtrToFirstStage(lut);
+         Last   = cmsPipelineGetPtrToLastStage(lut);
+ 
+-        if (First != NULL)lut ->InputChannels = First ->InputChannels;
+-        if (Last != NULL) lut ->OutputChannels = Last ->OutputChannels;
++        if (First == NULL || Last == NULL) return FALSE;
++
++        lut->InputChannels = First->InputChannels;
++        lut->OutputChannels = Last->OutputChannels;
++
++        // Check chain consistency
++        prev = First;
++        next = prev->Next;
++
++        while (next != NULL)
++        {
++            if (next->InputChannels != prev->OutputChannels)
++                return FALSE;
++
++            next = next->Next;
++            prev = prev->Next;
++        }
+     }
++    return TRUE;    
+ }
+ 
+ 
+@@ -1331,6 +1349,7 @@ cmsPipeline* CMSEXPORT cmsPipelineAlloc(cmsContext ContextID, cmsUInt32Number In
+ {
+        cmsPipeline* NewLUT;
+ 
++       // A value of zero in channels is allowed as placeholder
+        if (InputChannels >= cmsMAXCHANNELS ||
+            OutputChannels >= cmsMAXCHANNELS) return NULL;
+ 
+@@ -1348,7 +1367,11 @@ cmsPipeline* CMSEXPORT cmsPipelineAlloc(cmsContext ContextID, cmsUInt32Number In
+        NewLUT ->Data        = NewLUT;
+        NewLUT ->ContextID   = ContextID;
+ 
+-       BlessLUT(NewLUT);
++       if (!BlessLUT(NewLUT))
++       {
++           _cmsFree(ContextID, NewLUT);
++           return NULL;
++       }
+ 
+        return NewLUT;
+ }
+@@ -1454,7 +1477,12 @@ cmsPipeline* CMSEXPORT cmsPipelineDup(const cmsPipeline* lut)
+ 
+     NewLUT ->SaveAs8Bits    = lut ->SaveAs8Bits;
+ 
+-    BlessLUT(NewLUT);
++    if (!BlessLUT(NewLUT))
++    {
++        _cmsFree(lut->ContextID, NewLUT);
++        return NULL;
++    }
++
+     return NewLUT;
+ }
+ 
+@@ -1491,8 +1519,7 @@ int CMSEXPORT cmsPipelineInsertStage(cmsPipeline* lut, cmsStageLoc loc, cmsStage
+             return FALSE;
+     }
+ 
+-    BlessLUT(lut);
+-    return TRUE;
++    return BlessLUT(lut);    
+ }
+ 
+ // Unlink an element and return the pointer to it
+@@ -1547,6 +1574,7 @@ void CMSEXPORT cmsPipelineUnlinkStage(cmsPipeline* lut, cmsStageLoc loc, cmsStag
+     else
+         cmsStageFree(Unlinked);
+ 
++    // May fail, but we ignore it
+     BlessLUT(lut);
+ }
+ 
+@@ -1573,8 +1601,7 @@ cmsBool  CMSEXPORT cmsPipelineCat(cmsPipeline* l1, const cmsPipeline* l2)
+                 return FALSE;
+     }
+ 
+-    BlessLUT(l1);
+-    return TRUE;
++    return BlessLUT(l1);    
+ }
+ 
+ 
+diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c
+index e5ed06c33..0256e247b 100644
+--- a/third_party/lcms2-2.6/src/cmstypes.c
++++ b/third_party/lcms2-2.6/src/cmstypes.c
+@@ -1755,8 +1755,8 @@ void *Type_LUT8_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cms
+     if (!_cmsReadUInt8Number(io, NULL)) goto Error;
+ 
+     // Do some checking
+-    if (InputChannels > cmsMAXCHANNELS)  goto Error;
+-    if (OutputChannels > cmsMAXCHANNELS) goto Error;
++    if (InputChannels == 0 || InputChannels > cmsMAXCHANNELS)  goto Error;
++    if (OutputChannels == 0 || OutputChannels > cmsMAXCHANNELS) goto Error;
+ 
+    // Allocates an empty Pipeline
+     NewLUT = cmsPipelineAlloc(self ->ContextID, InputChannels, OutputChannels);
+@@ -2048,8 +2048,8 @@ void *Type_LUT16_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cm
+     if (!_cmsReadUInt8Number(io, NULL)) return NULL;
+ 
+     // Do some checking
+-    if (InputChannels > cmsMAXCHANNELS)  goto Error;
+-    if (OutputChannels > cmsMAXCHANNELS) goto Error;
++    if (InputChannels == 0 || InputChannels > cmsMAXCHANNELS)  goto Error;
++    if (OutputChannels == 0 || OutputChannels > cmsMAXCHANNELS) goto Error;
+ 
+     // Allocates an empty LUT
+     NewLUT = cmsPipelineAlloc(self ->ContextID, InputChannels, OutputChannels);
+@@ -2486,7 +2486,10 @@ void* Type_LUTA2B_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, c
+     if (!_cmsReadUInt32Number(io, &offsetC)) return NULL;
+     if (!_cmsReadUInt32Number(io, &offsetA)) return NULL;
+ 
+-   // Allocates an empty LUT
++    if (inputChan == 0 || inputChan >= cmsMAXCHANNELS) return NULL;
++    if (outputChan == 0 || outputChan >= cmsMAXCHANNELS) return NULL;
++
++    // Allocates an empty LUT
+     NewLUT = cmsPipelineAlloc(self ->ContextID, inputChan, outputChan);
+     if (NewLUT == NULL) return NULL;
+ 
+@@ -2794,6 +2797,9 @@ void* Type_LUTB2A_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, c
+     if (!_cmsReadUInt8Number(io, &inputChan)) return NULL;
+     if (!_cmsReadUInt8Number(io, &outputChan)) return NULL;
+ 
++    if (inputChan == 0 || inputChan >= cmsMAXCHANNELS) return NULL;
++    if (outputChan == 0 || outputChan >= cmsMAXCHANNELS) return NULL;
++
+     // Padding
+     if (!_cmsReadUInt16Number(io, NULL)) return NULL;
+ 
+@@ -4443,6 +4449,9 @@ void *Type_MPE_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU
+     if (!_cmsReadUInt16Number(io, &InputChans)) return NULL;
+     if (!_cmsReadUInt16Number(io, &OutputChans)) return NULL;
+ 
++    if (InputChans == 0 || InputChans >= cmsMAXCHANNELS) return NULL;
++    if (OutputChans == 0 || OutputChans >= cmsMAXCHANNELS) return NULL;
++
+     // Allocates an empty LUT
+     NewLUT = cmsPipelineAlloc(self ->ContextID, InputChans, OutputChans);
+     if (NewLUT == NULL) return NULL;
-- 
cgit v1.2.3