0017-upstream-integer-overflow-MPEmatrix_Read.patch revision 5ae9d0c6fd838a2967cca72aa5751b51dadc2769 
1diff --git a/third_party/lcms2-2.6/src/cmscgats.c b/third_party/lcms2-2.6/src/cmscgats.c
2index 5720c66a7..cce4cedba 100644
3--- a/third_party/lcms2-2.6/src/cmscgats.c
4+++ b/third_party/lcms2-2.6/src/cmscgats.c
5@@ -150,23 +150,24 @@ typedef struct {
6         SUBALLOCATOR   Allocator;             // String suballocator -- just to keep it fast
7 
8         // Parser state machine
9-        SYMBOL         sy;                    // Current symbol
10-        int            ch;                    // Current character
11+        SYMBOL             sy;                // Current symbol
12+        int                ch;                // Current character
13+
14+        cmsInt32Number     inum;              // integer value
15+        cmsFloat64Number   dnum;              // real value
16 
17-        int            inum;                  // integer value
18-        cmsFloat64Number         dnum;                  // real value
19         char           id[MAXID];             // identifier
20         char           str[MAXSTR];           // string
21 
22         // Allowed keywords & datasets. They have visibility on whole stream
23-        KEYVALUE*     ValidKeywords;
24-        KEYVALUE*     ValidSampleID;
25+        KEYVALUE*      ValidKeywords;
26+        KEYVALUE*      ValidSampleID;
27 
28         char*          Source;                // Points to loc. being parsed
29-        int            lineno;                // line counter for error reporting
30+        cmsInt32Number lineno;                // line counter for error reporting
31 
32         FILECTX*       FileStack[MAXINCLUDE]; // Stack of files being parsed
33-        int            IncludeSP;             // Include Stack Pointer
34+        cmsInt32Number IncludeSP;             // Include Stack Pointer
35 
36         char*          MemoryBlock;           // The stream if holded in memory
37 
38@@ -568,8 +569,8 @@ void ReadReal(cmsIT8* it8, int inum)
39     // Exponent, example 34.00E+20
40     if (toupper(it8->ch) == 'E') {
41 
42-        int e;
43-        int sgn;
44+        cmsInt32Number e;
45+        cmsInt32Number sgn;
46 
47         NextCh(it8); sgn = 1;
48 
49@@ -587,7 +588,7 @@ void ReadReal(cmsIT8* it8, int inum)
50             e = 0;
51             while (isdigit(it8->ch)) {
52 
53-                if ((cmsFloat64Number) e * 10L < INT_MAX)
54+                if ((cmsFloat64Number) e * 10L < (cmsFloat64Number) +2147483647.0)
55                     e = e * 10 + (it8->ch - '0');
56 
57                 NextCh(it8);
58@@ -777,7 +778,7 @@ void InSymbol(cmsIT8* it8)
59 
60                 while (isdigit(it8->ch)) {
61 
62-                    if ((long) it8->inum * 10L > (long) INT_MAX) {
63+                    if ((cmsFloat64Number) it8->inum * 10L > (cmsFloat64Number) +2147483647.0) {
64                         ReadReal(it8, it8->inum);
65                         it8->sy = SDNUM;
66                         it8->dnum *= sign;
67diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c
68index 0256e247b..75f1fae32 100644
69--- a/third_party/lcms2-2.6/src/cmstypes.c
70+++ b/third_party/lcms2-2.6/src/cmstypes.c
71@@ -4199,9 +4199,13 @@ void *Type_MPEmatrix_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io
72     if (!_cmsReadUInt16Number(io, &OutputChans)) return NULL;
73 
74 
75+    // Input and output chans may be ANY (up to 0xffff), 
76+    // but we choose to limit to 16 channels for now
77+    if (InputChans >= cmsMAXCHANNELS) return NULL;
78+    if (OutputChans >= cmsMAXCHANNELS) return NULL;
79+
80     nElems = InputChans * OutputChans;
81 
82-    // Input and output chans may be ANY (up to 0xffff)
83     Matrix = (cmsFloat64Number*) _cmsCalloc(self ->ContextID, nElems, sizeof(cmsFloat64Number));
84     if (Matrix == NULL) return NULL;
85 
86