File lcms2-sanitize-mpe-profiles.patch of Package lcms2.26845
From 06662a755525586223efe1790da1497d5b2d9e67 Mon Sep 17 00:00:00 2001
From: Marti <marti.maria@tktbrainpower.com>
Date: Wed, 25 Jan 2017 13:28:27 +0100
Subject: [PATCH] sanitize input & output channels on MPE profiles
---
src/cmslut.c | 9 +++------
src/cmstypes.c | 19 ++++++++++++++-----
2 files changed, 17 insertions(+), 11 deletions(-)
diff --git a/src/cmslut.c b/src/cmslut.c
index 4be839b..16169f9 100644
--- a/src/cmslut.c
+++ b/src/cmslut.c
@@ -1361,21 +1361,18 @@ void _LUTevalFloat(register const cmsFloat32Number In[], register cmsFloat32Numb
}
-
-
// LUT Creation & Destruction
-
cmsPipeline* CMSEXPORT cmsPipelineAlloc(cmsContext ContextID, cmsUInt32Number InputChannels, cmsUInt32Number OutputChannels)
{
cmsPipeline* NewLUT;
- if (InputChannels >= cmsMAXCHANNELS ||
- OutputChannels >= cmsMAXCHANNELS) return NULL;
+ // A value of zero in channels is allowed as placeholder
+ if (InputChannels >= cmsMAXCHANNELS ||
+ OutputChannels >= cmsMAXCHANNELS) return NULL;
NewLUT = (cmsPipeline*) _cmsMallocZero(ContextID, sizeof(cmsPipeline));
if (NewLUT == NULL) return NULL;
-
NewLUT -> InputChannels = InputChannels;
NewLUT -> OutputChannels = OutputChannels;
diff --git a/src/cmstypes.c b/src/cmstypes.c
index ec4e154..719bc12 100644
--- a/src/cmstypes.c
+++ b/src/cmstypes.c
@@ -1763,8 +1763,8 @@ void *Type_LUT8_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cms
if (!_cmsReadUInt8Number(io, NULL)) goto Error;
// Do some checking
- if (InputChannels > cmsMAXCHANNELS) goto Error;
- if (OutputChannels > cmsMAXCHANNELS) goto Error;
+ if (InputChannels == 0 || InputChannels > cmsMAXCHANNELS) goto Error;
+ if (OutputChannels == 0 || OutputChannels > cmsMAXCHANNELS) goto Error;
// Allocates an empty Pipeline
NewLUT = cmsPipelineAlloc(self ->ContextID, InputChannels, OutputChannels);
@@ -2058,8 +2058,8 @@ void *Type_LUT16_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cm
if (!_cmsReadUInt8Number(io, NULL)) return NULL;
// Do some checking
- if (InputChannels > cmsMAXCHANNELS) goto Error;
- if (OutputChannels > cmsMAXCHANNELS) goto Error;
+ if (InputChannels == 0 || InputChannels > cmsMAXCHANNELS) goto Error;
+ if (OutputChannels == 0 || OutputChannels > cmsMAXCHANNELS) goto Error;
// Allocates an empty LUT
NewLUT = cmsPipelineAlloc(self ->ContextID, InputChannels, OutputChannels);
@@ -2496,7 +2496,10 @@ void* Type_LUTA2B_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, c
if (!_cmsReadUInt32Number(io, &offsetC)) return NULL;
if (!_cmsReadUInt32Number(io, &offsetA)) return NULL;
- // Allocates an empty LUT
+ if (inputChan == 0 || inputChan >= cmsMAXCHANNELS) return NULL;
+ if (outputChan == 0 || outputChan >= cmsMAXCHANNELS) return NULL;
+
+ // Allocates an empty LUT
NewLUT = cmsPipelineAlloc(self ->ContextID, inputChan, outputChan);
if (NewLUT == NULL) return NULL;
@@ -2804,6 +2807,9 @@ void* Type_LUTB2A_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, c
if (!_cmsReadUInt8Number(io, &inputChan)) return NULL;
if (!_cmsReadUInt8Number(io, &outputChan)) return NULL;
+ if (inputChan == 0 || inputChan >= cmsMAXCHANNELS) return NULL;
+ if (outputChan == 0 || outputChan >= cmsMAXCHANNELS) return NULL;
+
// Padding
if (!_cmsReadUInt16Number(io, NULL)) return NULL;
@@ -4457,6 +4463,9 @@ void *Type_MPE_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU
if (!_cmsReadUInt16Number(io, &InputChans)) return NULL;
if (!_cmsReadUInt16Number(io, &OutputChans)) return NULL;
+ if (InputChans == 0 || InputChans >= cmsMAXCHANNELS) return NULL;
+ if (OutputChans == 0 || OutputChans >= cmsMAXCHANNELS) return NULL;
+
// Allocates an empty LUT
NewLUT = cmsPipelineAlloc(self ->ContextID, InputChans, OutputChans);
if (NewLUT == NULL) return NULL;
--
2.17.1
