diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-09-06 13:32:07 +0200 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-09-12 07:54:20 +0000 |
| commit | 7610166df941e1070b07a33805ba780bbf36dc07 (patch) | |
| tree | 4b0f6b2faed7f1f71d16002ddaea1dba9f361d34 | |
| parent | 9dec1e5d10487bba20ea4ec2386ebbd65ea9352a (diff) | |
[Backport] Security patch 864932
Handle wrong tag element count in littlecms.
BUG=chromium:864932
Change-Id: I19b6c2f6c70c9d2f642859f30299d0a0f9e4aa2d
Reviewed-on: https://pdfium-review.googlesource.com/38270
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
3 files changed, 14 insertions, 0 deletions
diff --git a/chromium/third_party/pdfium/third_party/lcms/0031-wrong-tag-element-count.patch b/chromium/third_party/pdfium/third_party/lcms/0031-wrong-tag-element-count.patch new file mode 100644 index 00000000000..a62bc3de6d9 --- /dev/null +++ b/chromium/third_party/pdfium/third_party/lcms/0031-wrong-tag-element-count.patch @@ -0,0 +1,12 @@ +diff --git a/third_party/lcms/src/cmsio0.c b/third_party/lcms/src/cmsio0.c +index cc5f89064..63bbe36a8 100644 +--- a/third_party/lcms/src/cmsio0.c ++++ b/third_party/lcms/src/cmsio0.c +@@ -1616,6 +1616,7 @@ void* CMSEXPORT cmsReadTag(cmsHPROFILE hProfile, cmsTagSignature sig) + _cmsTagSignature2String(String, sig); + cmsSignalError(Icc ->ContextID, cmsERROR_CORRUPTION_DETECTED, "'%s' Inconsistent number of items: expected %d, got %d", + String, TagDescriptor ->ElemCount, ElemCount); ++ goto Error; + } + + diff --git a/chromium/third_party/pdfium/third_party/lcms/README.pdfium b/chromium/third_party/pdfium/third_party/lcms/README.pdfium index b04da7df21a..f740669ad70 100644 --- a/chromium/third_party/pdfium/third_party/lcms/README.pdfium +++ b/chromium/third_party/pdfium/third_party/lcms/README.pdfium @@ -41,3 +41,4 @@ Local Modifications: 0027-changes-from-beginning-of-time.patch: commented changes from initial commit. 0028-do-not-quickfloor.patch: flooring errors may cause heap-buffer-overflow. 0029-drop-register-keyword.patch: Remove deprecated 'register' keyword. +0031-wrong-tag-element-count.patch: Handle tag element count mismatch as an error. diff --git a/chromium/third_party/pdfium/third_party/lcms/src/cmsio0.c b/chromium/third_party/pdfium/third_party/lcms/src/cmsio0.c index cc5f890644d..63bbe36a831 100644 --- a/chromium/third_party/pdfium/third_party/lcms/src/cmsio0.c +++ b/chromium/third_party/pdfium/third_party/lcms/src/cmsio0.c @@ -1616,6 +1616,7 @@ void* CMSEXPORT cmsReadTag(cmsHPROFILE hProfile, cmsTagSignature sig) _cmsTagSignature2String(String, sig); cmsSignalError(Icc ->ContextID, cmsERROR_CORRUPTION_DETECTED, "'%s' Inconsistent number of items: expected %d, got %d", String, TagDescriptor ->ElemCount, ElemCount); + goto Error; } |