Fix cmdStageAllocMatrix parameter swap

Fix cmdStageAllocMatrix parameter swap

For cmdStageAllocMatrix, InputChans is length of Matrix, OutputChans is
length of Offsets. The original code will allocate NewElem->Offset with
length Cols=InputChans (cmslut.c:417). This results in heap buffer
overflow later.

BUG=chromium:651849
Committed: https://pdfium.googlesource.com/pdfium/+/958e57cbe864f356140b74cbc3b70bf352187bd4

[kcwu, 2016-10-04 02:22:39]

kcwu@chromium.org changed reviewers:
+ dsinclair@chromium.org

[kcwu, 2016-10-04 02:22:40]

I found the root cause -- offset buffer allocated with wrong length. 

However, I am not sure which variables (ptr or size? caller or callee?) are
swapped. Since I don't understand what lcms is calculating, this fix is based on
my common sense best guess.

Please help review it. Thanks

[dsinclair, 2016-10-04 13:15:14]

dsinclair@chromium.org changed reviewers:
+ thestig@chromium.org, tsepez@chromium.org

[dsinclair, 2016-10-04 13:15:14]

I don't know if this is right either. Can we send the patch upstream and try to
land it there first?

[kcwu, 2016-10-04 14:49:50]

On 2016/10/04 13:15:14, dsinclair wrote:
> I don't know if this is right either. Can we send the patch upstream and try
to
> land it there first?

(sorry if reply duplicated)

I can try. But note that I send 4 pull requests 2 weeks ago and the maintainer
haven't merged.https://github.com/mm2/Little-CMS/pulls

[Tom Sepez, 2016-10-04 18:26:38]

lgtm

[kcwu, 2016-10-05 01:41:43]

The CQ bit was checked by kcwu@chromium.org

[commit-bot: I haz the power, 2016-10-05 01:41:49]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-10-05 02:00:43]

Description was changed from

==========
Fix cmdStageAllocMatrix parameter swap

For cmdStageAllocMatrix, InputChans is length of Matrix, OutputChans is
length of Offsets. The original code will allocate NewElem->Offset with
length Cols=InputChans (cmslut.c:417). This results in heap buffer
overflow later.

BUG=chromium:651849
==========

to

==========
Fix cmdStageAllocMatrix parameter swap

For cmdStageAllocMatrix, InputChans is length of Matrix, OutputChans is
length of Offsets. The original code will allocate NewElem->Offset with
length Cols=InputChans (cmslut.c:417). This results in heap buffer
overflow later.

BUG=chromium:651849

Committed:
https://pdfium.googlesource.com/pdfium/+/958e57cbe864f356140b74cbc3b70bf35218...
==========

[commit-bot: I haz the power, 2016-10-05 02:00:44]

Committed patchset #1 (id:1) as
https://pdfium.googlesource.com/pdfium/+/958e57cbe864f356140b74cbc3b70bf35218...