From 958e57cbe864f356140b74cbc3b70bf352187bd4 Mon Sep 17 00:00:00 2001
From: kcwu <kcwu@chromium.org>
Date: Tue, 4 Oct 2016 19:00:41 -0700
Subject: Fix cmdStageAllocMatrix parameter swap

For cmdStageAllocMatrix, InputChans is length of Matrix, OutputChans is
length of Offsets. The original code will allocate NewElem->Offset with
length Cols=InputChans (cmslut.c:417). This results in heap buffer
overflow later.

BUG=chromium:651849

Review-Url: https://codereview.chromium.org/2384063006
---
 third_party/lcms2-2.6/README.pdfium | 1 +
 1 file changed, 1 insertion(+)

(limited to 'third_party/lcms2-2.6/README.pdfium')

diff --git a/third_party/lcms2-2.6/README.pdfium b/third_party/lcms2-2.6/README.pdfium
index 29479392c4..1fa3f56164 100644
--- a/third_party/lcms2-2.6/README.pdfium
+++ b/third_party/lcms2-2.6/README.pdfium
@@ -18,4 +18,5 @@ Local Modifications:
 0006-memory-leak-Type_NamedColor_Read.patch: Fix memory leak in Type_NamedColor_Read.
 0007-memory-leak-OptimizeByResampling.patch: Fix memory leak in OptimizeByResampling.
 0008-memory-leak-Type_MPEmatrix_Read.patch: Fix memory leak in MPEmatrix_Read.
+0009-cols-rows-swap.patch: Fix rows/cols swap in cmsStageAllocMatrix.
 TODO(ochang): List other patches.
-- 
cgit v1.2.3