Check for unused tag_len in read_nested_curveType()

third_party/qcms/google.patch

 diff --git a/third_party/qcms/src/iccread.c b/third_party/qcms/src/iccread.c
-index 36b7011..9ee6b94 100644
+index 36b7011..5876f96 100644
 --- a/third_party/qcms/src/iccread.c
 +++ b/third_party/qcms/src/iccread.c
 @@ -266,7 +266,7 @@ qcms_bool qcms_profile_is_bogus(qcms_profile *profile)
         if (profile->color_space != RGB_SIGNATURE)
                return false;
  
 -       if (profile->A2B0 || profile->B2A0)
 +       if (qcms_supports_iccv4 && (profile->A2B0 || profile->B2A0))
                 return false;
  
@@ skipping 23 matching lines @@
             if (!(((sum[i] - tolerance[i]) <= target[i]) &&
 @@ -402,7 +411,7 @@ static struct XYZNumber read_tag_XYZType(struct mem_source *src, struct tag_inde
  // present that are not part of the tag_index.
  static struct curveType *read_curveType(struct mem_source *src, uint32_t offset, uint32_t *len)
  {
 -       static const size_t COUNT_TO_LENGTH[5] = {1, 3, 4, 5, 7};
 +       static const uint32_t COUNT_TO_LENGTH[5] = {1, 3, 4, 5, 7};
         struct curveType *curve = NULL;
         uint32_t type = read_u32(src, offset);
         uint32_t count;
-@@ -657,7 +666,7 @@ static struct lutType *read_tag_lutType(struct mem_source *src, struct tag_index
+@@ -484,19 +493,23 @@ static void read_nested_curveType(struct mem_source *src, struct curveType *(*cu
+        uint32_t channel_offset = 0;
+        int i;
+        for (i = 0; i < num_channels; i++) {
+-               uint32_t tag_len;
++               uint32_t tag_len = ~0;
+ 
+                (*curveArray)[i] = read_curveType(src, curve_offset + channel_offset, &tag_len);
+                if (!(*curveArray)[i]) {
+                        invalid_source(src, "invalid nested curveType curve");
+                }
+ 
++               if (tag_len == ~0) {
++                       invalid_source(src, "invalid nested curveType tag length");
++                       return;
++               }
++
+                channel_offset += tag_len;
+                // 4 byte aligned
+                if ((tag_len % 4) != 0)
+                        channel_offset += 4 - (tag_len % 4);
+        }
+-
+ }
+ 
+ static void mAB_release(struct lutmABType *lut)
+@@ -657,7 +670,7 @@ static struct lutType *read_tag_lutType(struct mem_source *src, struct tag_index
         uint16_t num_input_table_entries;
         uint16_t num_output_table_entries;
         uint8_t in_chan, grid_points, out_chan;
 -       uint32_t clut_offset, output_offset;
 +       size_t clut_offset, output_offset;
         uint32_t clut_size;
         size_t entry_size;
         struct lutType *lut;
-@@ -997,6 +1006,9 @@ qcms_profile* qcms_profile_from_memory(const void *mem, size_t size)
+@@ -997,6 +1010,9 @@ qcms_profile* qcms_profile_from_memory(const void *mem, size_t size)
         source.size = size;
         source.valid = true;
  
 +       if (size < 4)
 +               return INVALID_PROFILE;
 +
         length = read_u32(src, 0);
         if (length <= size) {
                 // shrink the area that we can read if appropriate
 diff --git a/third_party/qcms/src/qcms.h b/third_party/qcms/src/qcms.h
@@ skipping 935 matching lines @@
  
 -float lut_interp_linear(double value, uint16_t *table, int length);
 -float lut_interp_linear_float(float value, float *table, int length);
 -uint16_t lut_interp_linear16(uint16_t input_value, uint16_t *table, int length);
 +float lut_interp_linear(double value, uint16_t *table, size_t length);
 +float lut_interp_linear_float(float value, float *table, size_t length);
 +uint16_t lut_interp_linear16(uint16_t input_value, uint16_t *table, size_t length);
  
  
  static inline float lerp(float a, float b, float t)