Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(68)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/lcms2-2.6/src/cmstypes.c

Issue 2362813002: Fix use uninitialized value and stack buffer overflow read (Closed)
Patch Set: address tsepez's comments Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/lcms2-2.6/README.pdfium ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 //------------------------------------------------------------------------------ --- 1 //------------------------------------------------------------------------------ ---
2 // 2 //
3 // Little Color Management System 3 // Little Color Management System
4 // Copyright (c) 1998-2014 Marti Maria Saguer 4 // Copyright (c) 1998-2014 Marti Maria Saguer
5 // 5 //
6 // Permission is hereby granted, free of charge, to any person obtaining 6 // Permission is hereby granted, free of charge, to any person obtaining
7 // a copy of this software and associated documentation files (the "Software"), 7 // a copy of this software and associated documentation files (the "Software"),
8 // to deal in the Software without restriction, including without limitation 8 // to deal in the Software without restriction, including without limitation
9 // the rights to use, copy, modify, merge, publish, distribute, sublicense, 9 // the rights to use, copy, modify, merge, publish, distribute, sublicense,
10 // and/or sell copies of the Software, and to permit persons to whom the Softwar e 10 // and/or sell copies of the Software, and to permit persons to whom the Softwar e
(...skipping 2946 matching lines...) Expand 10 before | Expand all | Expand 10 after
2957 value. The first colorant listed is the colorant of the first device channel of 2957 value. The first colorant listed is the colorant of the first device channel of
2958 a lut tag. The second colorant listed is the colorant of the second device chann el 2958 a lut tag. The second colorant listed is the colorant of the second device chann el
2959 of a lut tag, and so on. 2959 of a lut tag, and so on.
2960 */ 2960 */
2961 2961
2962 static 2962 static
2963 void *Type_ColorantTable_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER * io, cmsUInt32Number* nItems, cmsUInt32Number SizeOfTag) 2963 void *Type_ColorantTable_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER * io, cmsUInt32Number* nItems, cmsUInt32Number SizeOfTag)
2964 { 2964 {
2965 cmsUInt32Number i, Count; 2965 cmsUInt32Number i, Count;
2966 cmsNAMEDCOLORLIST* List; 2966 cmsNAMEDCOLORLIST* List;
2967 char Name[34]; 2967 char Name[33];
2968 cmsUInt16Number PCS[3]; 2968 cmsUInt16Number PCS[3];
2969 2969
2970 2970
2971 if (!_cmsReadUInt32Number(io, &Count)) return NULL; 2971 if (!_cmsReadUInt32Number(io, &Count)) return NULL;
2972 2972
2973 if (Count > cmsMAXCHANNELS) { 2973 if (Count > cmsMAXCHANNELS) {
2974 cmsSignalError(self->ContextID, cmsERROR_RANGE, "Too many colorants '%d' ", Count); 2974 cmsSignalError(self->ContextID, cmsERROR_RANGE, "Too many colorants '%d' ", Count);
2975 return NULL; 2975 return NULL;
2976 } 2976 }
2977 2977
2978 List = cmsAllocNamedColorList(self ->ContextID, Count, 0, "", ""); 2978 List = cmsAllocNamedColorList(self ->ContextID, Count, 0, "", "");
2979 for (i=0; i < Count; i++) { 2979 for (i=0; i < Count; i++) {
2980 2980
2981 if (io ->Read(io, Name, 32, 1) != 1) goto Error; 2981 if (io ->Read(io, Name, 32, 1) != 1) goto Error;
2982 Name[33] = 0; 2982 Name[32] = 0;
2983 2983
2984 if (!_cmsReadUInt16Array(io, 3, PCS)) goto Error; 2984 if (!_cmsReadUInt16Array(io, 3, PCS)) goto Error;
2985 2985
2986 if (!cmsAppendNamedColor(List, Name, PCS, NULL)) goto Error; 2986 if (!cmsAppendNamedColor(List, Name, PCS, NULL)) goto Error;
2987 2987
2988 } 2988 }
2989 2989
2990 *nItems = 1; 2990 *nItems = 1;
2991 return List; 2991 return List;
2992 2992
(...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after
3099 return 0; 3099 return 0;
3100 } 3100 }
3101 for (i=0; i < count; i++) { 3101 for (i=0; i < count; i++) {
3102 3102
3103 cmsUInt16Number PCS[3]; 3103 cmsUInt16Number PCS[3];
3104 cmsUInt16Number Colorant[cmsMAXCHANNELS]; 3104 cmsUInt16Number Colorant[cmsMAXCHANNELS];
3105 char Root[33]; 3105 char Root[33];
3106 3106
3107 memset(Colorant, 0, sizeof(Colorant)); 3107 memset(Colorant, 0, sizeof(Colorant));
3108 if (io -> Read(io, Root, 32, 1) != 1) return NULL; 3108 if (io -> Read(io, Root, 32, 1) != 1) return NULL;
3109 Root[32] = 0;
3109 if (!_cmsReadUInt16Array(io, 3, PCS)) goto Error; 3110 if (!_cmsReadUInt16Array(io, 3, PCS)) goto Error;
3110 if (!_cmsReadUInt16Array(io, nDeviceCoords, Colorant)) goto Error; 3111 if (!_cmsReadUInt16Array(io, nDeviceCoords, Colorant)) goto Error;
3111 3112
3112 if (!cmsAppendNamedColor(v, Root, PCS, Colorant)) goto Error; 3113 if (!cmsAppendNamedColor(v, Root, PCS, Colorant)) goto Error;
3113 } 3114 }
3114 3115
3115 *nItems = 1; 3116 *nItems = 1;
3116 return (void*) v ; 3117 return (void*) v ;
3117 3118
3118 Error: 3119 Error:
(...skipping 2436 matching lines...) Expand 10 before | Expand all | Expand 10 after
5555 5556
5556 for (pt = SupportedTags; 5557 for (pt = SupportedTags;
5557 pt != NULL; 5558 pt != NULL;
5558 pt = pt ->Next) { 5559 pt = pt ->Next) {
5559 5560
5560 if (sig == pt -> Signature) return &pt ->Descriptor; 5561 if (sig == pt -> Signature) return &pt ->Descriptor;
5561 } 5562 }
5562 5563
5563 return NULL; 5564 return NULL;
5564 } 5565 }
OLDNEW
« no previous file with comments | « third_party/lcms2-2.6/README.pdfium ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698