Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(166)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/lcms2-2.6/0016-check-LUT-and-MPE.patch

Issue 2711783009: [M57] lcms upstream patches to fix security bug (Closed)
Patch Set: Created 3 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | third_party/lcms2-2.6/README.pdfium » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 diff --git a/third_party/lcms2-2.6/src/cmslut.c b/third_party/lcms2-2.6/src/cmsl ut.c
2 index 9b0eb4b54..19d43361f 100644
3 --- a/third_party/lcms2-2.6/src/cmslut.c
4 +++ b/third_party/lcms2-2.6/src/cmslut.c
5 @@ -1255,21 +1255,39 @@ cmsStage* CMSEXPORT cmsStageDup(cmsStage* mpe)
6 // **************************************************************************** *******************************
7
8 // This function sets up the channel count
9 -
10 static
11 -void BlessLUT(cmsPipeline* lut)
12 +cmsBool BlessLUT(cmsPipeline* lut)
13 {
14 // We can set the input/ouput channels only if we have elements.
15 if (lut ->Elements != NULL) {
16
17 - cmsStage *First, *Last;
18 + cmsStage* prev;
19 + cmsStage* next;
20 + cmsStage* First;
21 + cmsStage* Last;
22
23 First = cmsPipelineGetPtrToFirstStage(lut);
24 Last = cmsPipelineGetPtrToLastStage(lut);
25
26 - if (First != NULL)lut ->InputChannels = First ->InputChannels;
27 - if (Last != NULL) lut ->OutputChannels = Last ->OutputChannels;
28 + if (First == NULL || Last == NULL) return FALSE;
29 +
30 + lut->InputChannels = First->InputChannels;
31 + lut->OutputChannels = Last->OutputChannels;
32 +
33 + // Check chain consistency
34 + prev = First;
35 + next = prev->Next;
36 +
37 + while (next != NULL)
38 + {
39 + if (next->InputChannels != prev->OutputChannels)
40 + return FALSE;
41 +
42 + next = next->Next;
43 + prev = prev->Next;
44 + }
45 }
46 + return TRUE;
47 }
48
49
50 @@ -1331,6 +1349,7 @@ cmsPipeline* CMSEXPORT cmsPipelineAlloc(cmsContext Context ID, cmsUInt32Number In
51 {
52 cmsPipeline* NewLUT;
53
54 + // A value of zero in channels is allowed as placeholder
55 if (InputChannels >= cmsMAXCHANNELS ||
56 OutputChannels >= cmsMAXCHANNELS) return NULL;
57
58 @@ -1348,7 +1367,11 @@ cmsPipeline* CMSEXPORT cmsPipelineAlloc(cmsContext Contex tID, cmsUInt32Number In
59 NewLUT ->Data = NewLUT;
60 NewLUT ->ContextID = ContextID;
61
62 - BlessLUT(NewLUT);
63 + if (!BlessLUT(NewLUT))
64 + {
65 + _cmsFree(ContextID, NewLUT);
66 + return NULL;
67 + }
68
69 return NewLUT;
70 }
71 @@ -1454,7 +1477,12 @@ cmsPipeline* CMSEXPORT cmsPipelineDup(const cmsPipeline* lut)
72
73 NewLUT ->SaveAs8Bits = lut ->SaveAs8Bits;
74
75 - BlessLUT(NewLUT);
76 + if (!BlessLUT(NewLUT))
77 + {
78 + _cmsFree(lut->ContextID, NewLUT);
79 + return NULL;
80 + }
81 +
82 return NewLUT;
83 }
84
85 @@ -1491,8 +1519,7 @@ int CMSEXPORT cmsPipelineInsertStage(cmsPipeline* lut, cms StageLoc loc, cmsStage
86 return FALSE;
87 }
88
89 - BlessLUT(lut);
90 - return TRUE;
91 + return BlessLUT(lut);
92 }
93
94 // Unlink an element and return the pointer to it
95 @@ -1547,6 +1574,7 @@ void CMSEXPORT cmsPipelineUnlinkStage(cmsPipeline* lut, cm sStageLoc loc, cmsStag
96 else
97 cmsStageFree(Unlinked);
98
99 + // May fail, but we ignore it
100 BlessLUT(lut);
101 }
102
103 @@ -1573,8 +1601,7 @@ cmsBool CMSEXPORT cmsPipelineCat(cmsPipeline* l1, const c msPipeline* l2)
104 return FALSE;
105 }
106
107 - BlessLUT(l1);
108 - return TRUE;
109 + return BlessLUT(l1);
110 }
111
112
113 diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cm stypes.c
114 index e5ed06c33..0256e247b 100644
115 --- a/third_party/lcms2-2.6/src/cmstypes.c
116 +++ b/third_party/lcms2-2.6/src/cmstypes.c
117 @@ -1755,8 +1755,8 @@ void *Type_LUT8_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cms
118 if (!_cmsReadUInt8Number(io, NULL)) goto Error;
119
120 // Do some checking
121 - if (InputChannels > cmsMAXCHANNELS) goto Error;
122 - if (OutputChannels > cmsMAXCHANNELS) goto Error;
123 + if (InputChannels == 0 || InputChannels > cmsMAXCHANNELS) goto Error;
124 + if (OutputChannels == 0 || OutputChannels > cmsMAXCHANNELS) goto Error;
125
126 // Allocates an empty Pipeline
127 NewLUT = cmsPipelineAlloc(self ->ContextID, InputChannels, OutputChannels);
128 @@ -2048,8 +2048,8 @@ void *Type_LUT16_Read(struct _cms_typehandler_struct* self , cmsIOHANDLER* io, cm
129 if (!_cmsReadUInt8Number(io, NULL)) return NULL;
130
131 // Do some checking
132 - if (InputChannels > cmsMAXCHANNELS) goto Error;
133 - if (OutputChannels > cmsMAXCHANNELS) goto Error;
134 + if (InputChannels == 0 || InputChannels > cmsMAXCHANNELS) goto Error;
135 + if (OutputChannels == 0 || OutputChannels > cmsMAXCHANNELS) goto Error;
136
137 // Allocates an empty LUT
138 NewLUT = cmsPipelineAlloc(self ->ContextID, InputChannels, OutputChannels);
139 @@ -2486,7 +2486,10 @@ void* Type_LUTA2B_Read(struct _cms_typehandler_struct* se lf, cmsIOHANDLER* io, c
140 if (!_cmsReadUInt32Number(io, &offsetC)) return NULL;
141 if (!_cmsReadUInt32Number(io, &offsetA)) return NULL;
142
143 - // Allocates an empty LUT
144 + if (inputChan == 0 || inputChan >= cmsMAXCHANNELS) return NULL;
145 + if (outputChan == 0 || outputChan >= cmsMAXCHANNELS) return NULL;
146 +
147 + // Allocates an empty LUT
148 NewLUT = cmsPipelineAlloc(self ->ContextID, inputChan, outputChan);
149 if (NewLUT == NULL) return NULL;
150
151 @@ -2794,6 +2797,9 @@ void* Type_LUTB2A_Read(struct _cms_typehandler_struct* sel f, cmsIOHANDLER* io, c
152 if (!_cmsReadUInt8Number(io, &inputChan)) return NULL;
153 if (!_cmsReadUInt8Number(io, &outputChan)) return NULL;
154
155 + if (inputChan == 0 || inputChan >= cmsMAXCHANNELS) return NULL;
156 + if (outputChan == 0 || outputChan >= cmsMAXCHANNELS) return NULL;
157 +
158 // Padding
159 if (!_cmsReadUInt16Number(io, NULL)) return NULL;
160
161 @@ -4443,6 +4449,9 @@ void *Type_MPE_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU
162 if (!_cmsReadUInt16Number(io, &InputChans)) return NULL;
163 if (!_cmsReadUInt16Number(io, &OutputChans)) return NULL;
164
165 + if (InputChans == 0 || InputChans >= cmsMAXCHANNELS) return NULL;
166 + if (OutputChans == 0 || OutputChans >= cmsMAXCHANNELS) return NULL;
167 +
168 // Allocates an empty LUT
169 NewLUT = cmsPipelineAlloc(self ->ContextID, InputChans, OutputChans);
170 if (NewLUT == NULL) return NULL;
OLDNEW
« no previous file with comments | « no previous file | third_party/lcms2-2.6/README.pdfium » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698