Add check on CGATS memory allocation in littlecms.
This pull in the relevant bits from upstream commit 768f70ca.
BUG=chromium:872189
Change-Id: I6a970a00ff322768cddc2825e4b6e3e12400d43d
Reviewed-on: https://pdfium-review.googlesource.com/41671
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
diff --git a/third_party/lcms/0032-cgats-allocation.patch b/third_party/lcms/0032-cgats-allocation.patch
new file mode 100644
index 0000000..08204b5
--- /dev/null
+++ b/third_party/lcms/0032-cgats-allocation.patch
@@ -0,0 +1,24 @@
+diff --git a/third_party/lcms/src/cmscgats.c b/third_party/lcms/src/cmscgats.c
+index 55f74ede8..0738a1cce 100644
+--- a/third_party/lcms/src/cmscgats.c
++++ b/third_party/lcms/src/cmscgats.c
+@@ -1504,10 +1504,16 @@ void AllocateDataSet(cmsIT8* it8)
+ t-> nSamples = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_FIELDS"));
+ t-> nPatches = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_SETS"));
+
+- t-> Data = (char**)AllocChunk (it8, ((cmsUInt32Number) t->nSamples + 1) * ((cmsUInt32Number) t->nPatches + 1) *sizeof (char*));
+- if (t->Data == NULL) {
++ if (t -> nSamples < 0 || t->nSamples > 0x7ffe || t->nPatches < 0 || t->nPatches > 0x7ffe)
++ {
++ SynError(it8, "AllocateDataSet: too much data");
++ }
++ else {
++ t->Data = (char**)AllocChunk(it8, ((cmsUInt32Number)t->nSamples + 1) * ((cmsUInt32Number)t->nPatches + 1) * sizeof(char*));
++ if (t->Data == NULL) {
+
+- SynError(it8, "AllocateDataSet: Unable to allocate data array");
++ SynError(it8, "AllocateDataSet: Unable to allocate data array");
++ }
+ }
+
+ }
diff --git a/third_party/lcms/README.pdfium b/third_party/lcms/README.pdfium
index f5ea9b1..1a096c8 100644
--- a/third_party/lcms/README.pdfium
+++ b/third_party/lcms/README.pdfium
@@ -43,3 +43,4 @@
0029-drop-register-keyword.patch: Remove deprecated 'register' keyword.
0030-const-data.patch: Mark many data structures as const.
0031-wrong-tag-element-count.patch: Handle tag element count mismatch as an error.
+0032-cgats-allocation.patch: Add check on CGATS memory allocation.
diff --git a/third_party/lcms/src/cmscgats.c b/third_party/lcms/src/cmscgats.c
index 55f74ed..0738a1c 100644
--- a/third_party/lcms/src/cmscgats.c
+++ b/third_party/lcms/src/cmscgats.c
@@ -1504,10 +1504,16 @@
t-> nSamples = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_FIELDS"));
t-> nPatches = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_SETS"));
- t-> Data = (char**)AllocChunk (it8, ((cmsUInt32Number) t->nSamples + 1) * ((cmsUInt32Number) t->nPatches + 1) *sizeof (char*));
- if (t->Data == NULL) {
+ if (t -> nSamples < 0 || t->nSamples > 0x7ffe || t->nPatches < 0 || t->nPatches > 0x7ffe)
+ {
+ SynError(it8, "AllocateDataSet: too much data");
+ }
+ else {
+ t->Data = (char**)AllocChunk(it8, ((cmsUInt32Number)t->nSamples + 1) * ((cmsUInt32Number)t->nPatches + 1) * sizeof(char*));
+ if (t->Data == NULL) {
- SynError(it8, "AllocateDataSet: Unable to allocate data array");
+ SynError(it8, "AllocateDataSet: Unable to allocate data array");
+ }
}
}
