third_party/lcms/0024-verify-size-before-reading.patch - pdfium - Git at Google

 diff --git a/third_party/lcms/src/cmstypes.c b/third_party/lcms/src/cmstypes.c
 index 75f1fae32..4d96a1ed6 100644
 --- a/third_party/lcms/src/cmstypes.c
 +++ b/third_party/lcms/src/cmstypes.c
 @@ -173,6 +173,12 @@ cmsBool ReadPositionTable(struct _cms_typehandler_struct* self,
  {
      cmsUInt32Number i;
      cmsUInt32Number *ElementOffsets = NULL, *ElementSizes = NULL;
 +    cmsUInt32Number currentPosition;
 +
 +    currentPosition = io->Tell(io);
 +    // Verify there is enough space left to read two cmsUInt32Number items for Count items.
 +    if (((io->ReportedSize - currentPosition) / (2 * sizeof(cmsUInt32Number))) < Count)
 +        return FALSE;

      // Let's take the offsets to each element
      ElementOffsets = (cmsUInt32Number *) _cmsCalloc(io ->ContextID, Count, sizeof(cmsUInt32Number));
	diff --git a/third_party/lcms/src/cmstypes.c b/third_party/lcms/src/cmstypes.c
	index 75f1fae32..4d96a1ed6 100644
	--- a/third_party/lcms/src/cmstypes.c
	+++ b/third_party/lcms/src/cmstypes.c
	@@ -173,6 +173,12 @@ cmsBool ReadPositionTable(struct _cms_typehandler_struct* self,
	{
	cmsUInt32Number i;
	cmsUInt32Number ElementOffsets = NULL, ElementSizes = NULL;
	+ cmsUInt32Number currentPosition;
	+
	+ currentPosition = io->Tell(io);
	+ // Verify there is enough space left to read two cmsUInt32Number items for Count items.
	+ if (((io->ReportedSize - currentPosition) / (2 * sizeof(cmsUInt32Number))) < Count)
	+ return FALSE;

	// Let's take the offsets to each element
	ElementOffsets = (cmsUInt32Number *) _cmsCalloc(io ->ContextID, Count, sizeof(cmsUInt32Number));