From 649815d0d6e57f3a551e73ae464589b0dedf913d Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Wed, 18 Jul 2018 20:27:59 +0000
Subject: Handle wrong tag element count in littlecms.

BUG=chromium:864932

Change-Id: I7e87ba6e0fc6e2bdefcee29cbc0b60cb9ec9e316
Reviewed-on: https://pdfium-review.googlesource.com/38270
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
---
 third_party/lcms/0031-wrong-tag-element-count.patch | 12 ++++++++++++
 third_party/lcms/README.pdfium                      |  1 +
 third_party/lcms/src/cmsio0.c                       |  1 +
 3 files changed, 14 insertions(+)
 create mode 100644 third_party/lcms/0031-wrong-tag-element-count.patch

(limited to 'third_party')

diff --git a/third_party/lcms/0031-wrong-tag-element-count.patch b/third_party/lcms/0031-wrong-tag-element-count.patch
new file mode 100644
index 0000000000..a62bc3de6d
--- /dev/null
+++ b/third_party/lcms/0031-wrong-tag-element-count.patch
@@ -0,0 +1,12 @@
+diff --git a/third_party/lcms/src/cmsio0.c b/third_party/lcms/src/cmsio0.c
+index cc5f89064..63bbe36a8 100644
+--- a/third_party/lcms/src/cmsio0.c
++++ b/third_party/lcms/src/cmsio0.c
+@@ -1616,6 +1616,7 @@ void* CMSEXPORT cmsReadTag(cmsHPROFILE hProfile, cmsTagSignature sig)
+         _cmsTagSignature2String(String, sig);
+         cmsSignalError(Icc ->ContextID, cmsERROR_CORRUPTION_DETECTED, "'%s' Inconsistent number of items: expected %d, got %d",
+             String, TagDescriptor ->ElemCount, ElemCount);
++        goto Error;
+     }
+ 
+ 
diff --git a/third_party/lcms/README.pdfium b/third_party/lcms/README.pdfium
index 0c7dff4de2..f5ea9b1792 100644
--- a/third_party/lcms/README.pdfium
+++ b/third_party/lcms/README.pdfium
@@ -42,3 +42,4 @@ Local Modifications:
 0028-do-not-quickfloor.patch: flooring errors may cause heap-buffer-overflow.
 0029-drop-register-keyword.patch: Remove deprecated 'register' keyword.
 0030-const-data.patch: Mark many data structures as const.
+0031-wrong-tag-element-count.patch: Handle tag element count mismatch as an error.
diff --git a/third_party/lcms/src/cmsio0.c b/third_party/lcms/src/cmsio0.c
index cc5f890644..63bbe36a83 100644
--- a/third_party/lcms/src/cmsio0.c
+++ b/third_party/lcms/src/cmsio0.c
@@ -1616,6 +1616,7 @@ void* CMSEXPORT cmsReadTag(cmsHPROFILE hProfile, cmsTagSignature sig)
         _cmsTagSignature2String(String, sig);
         cmsSignalError(Icc ->ContextID, cmsERROR_CORRUPTION_DETECTED, "'%s' Inconsistent number of items: expected %d, got %d",
             String, TagDescriptor ->ElemCount, ElemCount);
+        goto Error;
     }
 
 
-- 
cgit v1.2.3