|
|
a212af2 |
--- icc/icc.c.CVE-2009-0583,0584 2008-09-03 01:10:23.000000000 +0100
|
|
|
a212af2 |
+++ icc/icc.c 2009-03-20 17:36:41.000000000 +0000
|
|
|
a212af2 |
@@ -53,6 +53,8 @@
|
|
|
a212af2 |
|
|
|
a212af2 |
#define _ICC_C_ /* Turn on implimentation code */
|
|
|
a212af2 |
|
|
|
a212af2 |
+#include <limits.h>
|
|
|
a212af2 |
+#include <stdint.h>
|
|
|
a212af2 |
#include <stdio.h>
|
|
|
a212af2 |
#include <stdlib.h>
|
|
|
a212af2 |
#include <stdarg.h>
|
|
|
a212af2 |
@@ -122,8 +124,11 @@ size_t count
|
|
|
a212af2 |
icmFileMem *p = (icmFileMem *)pp;
|
|
|
a212af2 |
size_t len;
|
|
|
a212af2 |
|
|
|
a212af2 |
+ if (count > 0 && size > SIZE_MAX / count)
|
|
|
a212af2 |
+ return 0;
|
|
|
a212af2 |
+
|
|
|
a212af2 |
len = size * count;
|
|
|
a212af2 |
- if ((p->cur + len) >= p->end) { /* Too much */
|
|
|
a212af2 |
+ if (len > (p->end - p->cur)) { /* Too much */
|
|
|
a212af2 |
if (size > 0)
|
|
|
a212af2 |
count = (p->end - p->cur)/size;
|
|
|
a212af2 |
else
|
|
|
a212af2 |
@@ -146,8 +151,11 @@ size_t count
|
|
|
a212af2 |
icmFileMem *p = (icmFileMem *)pp;
|
|
|
a212af2 |
size_t len;
|
|
|
a212af2 |
|
|
|
a212af2 |
+ if (count > 0 && size > SIZE_MAX / count)
|
|
|
a212af2 |
+ return 0;
|
|
|
a212af2 |
+
|
|
|
a212af2 |
len = size * count;
|
|
|
a212af2 |
- if ((p->cur + len) >= p->end) { /* Too much */
|
|
|
a212af2 |
+ if (len > (p->end - p->cur)) { /* Too much */
|
|
|
a212af2 |
if (size > 0)
|
|
|
a212af2 |
count = (p->end - p->cur)/size;
|
|
|
a212af2 |
else
|
|
|
a212af2 |
@@ -1725,6 +1733,8 @@ static int icmUnknown_write(
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmUnknown_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -1833,7 +1843,7 @@ static int icmUnknown_allocate(
|
|
|
a212af2 |
if (p->size != p->_size) {
|
|
|
a212af2 |
if (p->data != NULL)
|
|
|
a212af2 |
icp->al->free(icp->al, p->data);
|
|
|
a212af2 |
- if ((p->data = (unsigned char *) icp->al->malloc(icp->al, p->size * sizeof(unsigned char))) == NULL) {
|
|
|
a212af2 |
+ if ((p->data = (unsigned char *) icp->al->calloc(icp->al, p->size, sizeof(unsigned char))) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmUnknown_alloc: malloc() of icmUnknown data failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -1957,6 +1967,8 @@ static int icmUInt8Array_write(
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmUInt8Array_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -2021,7 +2033,7 @@ static int icmUInt8Array_allocate(
|
|
|
a212af2 |
if (p->size != p->_size) {
|
|
|
a212af2 |
if (p->data != NULL)
|
|
|
a212af2 |
icp->al->free(icp->al, p->data);
|
|
|
a212af2 |
- if ((p->data = (unsigned int *) icp->al->malloc(icp->al, p->size * sizeof(unsigned int))) == NULL) {
|
|
|
a212af2 |
+ if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmUInt8Array_alloc: malloc() of icmUInt8Array data failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -2072,6 +2084,10 @@ static unsigned int icmUInt16Array_get_s
|
|
|
a212af2 |
icmUInt16Array *p = (icmUInt16Array *)pp;
|
|
|
a212af2 |
unsigned int len = 0;
|
|
|
a212af2 |
len += 8; /* 8 bytes for tag and padding */
|
|
|
a212af2 |
+ if (p->size > (UINT_MAX - len) / 2) {
|
|
|
a212af2 |
+ p->icp->errc = 1;
|
|
|
a212af2 |
+ return (unsigned int) -1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
len += p->size * 2; /* 2 bytes for each UInt16 */
|
|
|
a212af2 |
return len;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -2144,6 +2160,8 @@ static int icmUInt16Array_write(
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmUInt16Array_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -2208,7 +2226,7 @@ static int icmUInt16Array_allocate(
|
|
|
a212af2 |
if (p->size != p->_size) {
|
|
|
a212af2 |
if (p->data != NULL)
|
|
|
a212af2 |
icp->al->free(icp->al, p->data);
|
|
|
a212af2 |
- if ((p->data = (unsigned int *) icp->al->malloc(icp->al, p->size * sizeof(unsigned int))) == NULL) {
|
|
|
a212af2 |
+ if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmUInt16Array_alloc: malloc() of icmUInt16Array data failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -2259,6 +2277,10 @@ static unsigned int icmUInt32Array_get_s
|
|
|
a212af2 |
icmUInt32Array *p = (icmUInt32Array *)pp;
|
|
|
a212af2 |
unsigned int len = 0;
|
|
|
a212af2 |
len += 8; /* 8 bytes for tag and padding */
|
|
|
a212af2 |
+ if (p->size > (UINT_MAX - len) / 4) {
|
|
|
a212af2 |
+ p->icp->errc = 1;
|
|
|
a212af2 |
+ return (unsigned int) -1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
len += p->size * 4; /* 4 bytes for each UInt32 */
|
|
|
a212af2 |
return len;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -2331,6 +2353,8 @@ static int icmUInt32Array_write(
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmUInt32Array_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -2395,7 +2419,7 @@ static int icmUInt32Array_allocate(
|
|
|
a212af2 |
if (p->size != p->_size) {
|
|
|
a212af2 |
if (p->data != NULL)
|
|
|
a212af2 |
icp->al->free(icp->al, p->data);
|
|
|
a212af2 |
- if ((p->data = (unsigned int *) icp->al->malloc(icp->al, p->size * sizeof(unsigned int))) == NULL) {
|
|
|
a212af2 |
+ if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmUInt32Array_alloc: malloc() of icmUInt32Array data failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -2446,6 +2470,10 @@ static unsigned int icmUInt64Array_get_s
|
|
|
a212af2 |
icmUInt64Array *p = (icmUInt64Array *)pp;
|
|
|
a212af2 |
unsigned int len = 0;
|
|
|
a212af2 |
len += 8; /* 8 bytes for tag and padding */
|
|
|
a212af2 |
+ if (p->size > (UINT_MAX - len) / 8) {
|
|
|
a212af2 |
+ p->icp->errc = 1;
|
|
|
a212af2 |
+ return (unsigned int) -1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
len += p->size * 8; /* 8 bytes for each UInt64 */
|
|
|
a212af2 |
return len;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -2518,6 +2546,8 @@ static int icmUInt64Array_write(
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmUInt64Array_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -2582,7 +2612,7 @@ static int icmUInt64Array_allocate(
|
|
|
a212af2 |
if (p->size != p->_size) {
|
|
|
a212af2 |
if (p->data != NULL)
|
|
|
a212af2 |
icp->al->free(icp->al, p->data);
|
|
|
a212af2 |
- if ((p->data = (icmUint64 *) icp->al->malloc(icp->al, p->size * sizeof(icmUint64))) == NULL) {
|
|
|
a212af2 |
+ if ((p->data = (icmUint64 *) icp->al->calloc(icp->al, p->size, sizeof(icmUint64))) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmUInt64Array_alloc: malloc() of icmUInt64Array data failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -2633,6 +2663,10 @@ static unsigned int icmU16Fixed16Array_g
|
|
|
a212af2 |
icmU16Fixed16Array *p = (icmU16Fixed16Array *)pp;
|
|
|
a212af2 |
unsigned int len = 0;
|
|
|
a212af2 |
len += 8; /* 8 bytes for tag and padding */
|
|
|
a212af2 |
+ if (p->size > (UINT_MAX - len) / 4) {
|
|
|
a212af2 |
+ p->icp->errc = 1;
|
|
|
a212af2 |
+ return (unsigned int) -1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
len += p->size * 4; /* 4 byte for each U16Fixed16 */
|
|
|
a212af2 |
return len;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -2705,6 +2739,8 @@ static int icmU16Fixed16Array_write(
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmU16Fixed16Array_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -2769,7 +2805,7 @@ static int icmU16Fixed16Array_allocate(
|
|
|
a212af2 |
if (p->size != p->_size) {
|
|
|
a212af2 |
if (p->data != NULL)
|
|
|
a212af2 |
icp->al->free(icp->al, p->data);
|
|
|
a212af2 |
- if ((p->data = (double *) icp->al->malloc(icp->al, p->size * sizeof(double))) == NULL) {
|
|
|
a212af2 |
+ if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmU16Fixed16Array_alloc: malloc() of icmU16Fixed16Array data failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -2820,6 +2856,10 @@ static unsigned int icmS15Fixed16Array_g
|
|
|
a212af2 |
icmS15Fixed16Array *p = (icmS15Fixed16Array *)pp;
|
|
|
a212af2 |
unsigned int len = 0;
|
|
|
a212af2 |
len += 8; /* 8 bytes for tag and padding */
|
|
|
a212af2 |
+ if (p->size > (UINT_MAX - len) / 4) {
|
|
|
a212af2 |
+ p->icp->errc = 1;
|
|
|
a212af2 |
+ return (unsigned int) - 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
len += p->size * 4; /* 4 byte for each S15Fixed16 */
|
|
|
a212af2 |
return len;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -2892,6 +2932,8 @@ static int icmS15Fixed16Array_write(
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmS15Fixed16Array_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -2956,7 +2998,7 @@ static int icmS15Fixed16Array_allocate(
|
|
|
a212af2 |
if (p->size != p->_size) {
|
|
|
a212af2 |
if (p->data != NULL)
|
|
|
a212af2 |
icp->al->free(icp->al, p->data);
|
|
|
a212af2 |
- if ((p->data = (double *) icp->al->malloc(icp->al, p->size * sizeof(double))) == NULL) {
|
|
|
a212af2 |
+ if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmS15Fixed16Array_alloc: malloc() of icmS15Fixed16Array data failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -3049,6 +3091,10 @@ static unsigned int icmXYZArray_get_size
|
|
|
a212af2 |
icmXYZArray *p = (icmXYZArray *)pp;
|
|
|
a212af2 |
unsigned int len = 0;
|
|
|
a212af2 |
len += 8; /* 8 bytes for tag and padding */
|
|
|
a212af2 |
+ if (p->size > (UINT_MAX - len) / 12) {
|
|
|
a212af2 |
+ p->icp->errc = 1;
|
|
|
a212af2 |
+ return (unsigned int) - 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
len += p->size * 12; /* 12 bytes for each XYZ */
|
|
|
a212af2 |
return len;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -3121,6 +3167,8 @@ static int icmXYZArray_write(
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmXYZArray_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -3188,7 +3236,7 @@ static int icmXYZArray_allocate(
|
|
|
a212af2 |
if (p->size != p->_size) {
|
|
|
a212af2 |
if (p->data != NULL)
|
|
|
a212af2 |
icp->al->free(icp->al, p->data);
|
|
|
a212af2 |
- if ((p->data = (icmXYZNumber *) icp->al->malloc(icp->al, p->size * sizeof(icmXYZNumber))) == NULL) {
|
|
|
a212af2 |
+ if ((p->data = (icmXYZNumber *) icp->al->calloc(icp->al, p->size, sizeof(icmXYZNumber))) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmXYZArray_alloc: malloc() of icmXYZArray data failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -3468,6 +3516,10 @@ static unsigned int icmCurve_get_size(
|
|
|
a212af2 |
icmCurve *p = (icmCurve *)pp;
|
|
|
a212af2 |
unsigned int len = 0;
|
|
|
a212af2 |
len += 12; /* 12 bytes for tag, padding and count */
|
|
|
a212af2 |
+ if (p->size > (UINT_MAX - len) / 2) {
|
|
|
a212af2 |
+ p->icp->errc = 1;
|
|
|
a212af2 |
+ return (unsigned int) - 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
len += p->size * 2; /* 2 bytes for each UInt16 */
|
|
|
a212af2 |
return len;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -3565,6 +3617,8 @@ static int icmCurve_write(
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmCurve_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -3674,7 +3728,7 @@ static int icmCurve_allocate(
|
|
|
a212af2 |
if (p->size != p->_size) {
|
|
|
a212af2 |
if (p->data != NULL)
|
|
|
a212af2 |
icp->al->free(icp->al, p->data);
|
|
|
a212af2 |
- if ((p->data = (double *) icp->al->malloc(icp->al, p->size * sizeof(double))) == NULL) {
|
|
|
a212af2 |
+ if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmCurve_alloc: malloc() of icmCurve data failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -3824,6 +3878,8 @@ static int icmData_write(
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmData_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -3971,7 +4027,7 @@ static int icmData_allocate(
|
|
|
a212af2 |
if (p->size != p->_size) {
|
|
|
a212af2 |
if (p->data != NULL)
|
|
|
a212af2 |
icp->al->free(icp->al, p->data);
|
|
|
a212af2 |
- if ((p->data = (unsigned char *) icp->al->malloc(icp->al, p->size * sizeof(unsigned char))) == NULL) {
|
|
|
a212af2 |
+ if ((p->data = (unsigned char *) icp->al->calloc(icp->al, p->size, sizeof(unsigned char))) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmData_alloc: malloc() of icmData data failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -4096,6 +4152,8 @@ static int icmText_write(
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmText_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -4185,7 +4243,7 @@ static int icmText_allocate(
|
|
|
a212af2 |
if (p->size != p->_size) {
|
|
|
a212af2 |
if (p->data != NULL)
|
|
|
a212af2 |
icp->al->free(icp->al, p->data);
|
|
|
a212af2 |
- if ((p->data = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) {
|
|
|
a212af2 |
+ if ((p->data = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmText_alloc: malloc() of icmText data failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -4433,6 +4491,8 @@ static int icmDateTimeNumber_write(
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmDateTimeNumber_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -4523,11 +4583,15 @@ static icmBase *new_icmDateTimeNumber(
|
|
|
a212af2 |
/* icmLut object */
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Utility function - raise one integer to an integer power */
|
|
|
a212af2 |
-static unsigned int uipow(unsigned int a, unsigned int b) {
|
|
|
a212af2 |
+static int uipow(unsigned int a, unsigned int b, unsigned int *ret) {
|
|
|
a212af2 |
unsigned int rv = 1;
|
|
|
a212af2 |
- for (; b > 0; b--)
|
|
|
a212af2 |
+ for (; b > 0; b--) {
|
|
|
a212af2 |
+ if (a > 0 && rv > UINT_MAX / a)
|
|
|
a212af2 |
+ return 1;
|
|
|
a212af2 |
rv *= a;
|
|
|
a212af2 |
- return rv;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
+ *ret = rv;
|
|
|
a212af2 |
+ return 0;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
|
|
|
a212af2 |
/* - - - - - - - - - - - - - - - - */
|
|
|
a212af2 |
@@ -4667,7 +4731,7 @@ double *in /* Input array[outputChan] *
|
|
|
a212af2 |
if (p->inputChan <= 8) {
|
|
|
a212af2 |
gw = GW; /* Use stack allocation */
|
|
|
a212af2 |
} else {
|
|
|
a212af2 |
- if ((gw = (double *) icp->al->malloc(icp->al, (1 << p->inputChan) * sizeof(double))) == NULL) {
|
|
|
a212af2 |
+ if ((gw = (double *) icp->al->calloc(icp->al, (1 << p->inputChan), sizeof(double))) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmLut_lookup_clut: malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -5653,19 +5717,50 @@ static unsigned int icmLut_get_size(
|
|
|
a212af2 |
) {
|
|
|
a212af2 |
icmLut *p = (icmLut *)pp;
|
|
|
a212af2 |
unsigned int len = 0;
|
|
|
a212af2 |
+ unsigned int pw;
|
|
|
a212af2 |
|
|
|
a212af2 |
if (p->ttype == icSigLut8Type) {
|
|
|
a212af2 |
len += 48; /* tag and header */
|
|
|
a212af2 |
+ if (p->inputChan > 0 &&
|
|
|
a212af2 |
+ p->inputEnt > (UINT_MAX - len) / p->inputChan / 1)
|
|
|
a212af2 |
+ goto overflow;
|
|
|
a212af2 |
+
|
|
|
a212af2 |
len += 1 * (p->inputChan * p->inputEnt);
|
|
|
a212af2 |
- len += 1 * (p->outputChan * uipow(p->clutPoints,p->inputChan));
|
|
|
a212af2 |
+ if (uipow(p->clutPoints,p->inputChan, &pw) ||
|
|
|
a212af2 |
+ (p->outputChan > 0 &&
|
|
|
a212af2 |
+ pw > (UINT_MAX - len) / p->outputChan / 1))
|
|
|
a212af2 |
+ goto overflow;
|
|
|
a212af2 |
+
|
|
|
a212af2 |
+ len += 1 * (p->outputChan * pw);
|
|
|
a212af2 |
+ if (p->outputChan > 0 &&
|
|
|
a212af2 |
+ p->outputEnt > (UINT_MAX - len) / p->outputChan / 1)
|
|
|
a212af2 |
+ goto overflow;
|
|
|
a212af2 |
+
|
|
|
a212af2 |
len += 1 * (p->outputChan * p->outputEnt);
|
|
|
a212af2 |
} else {
|
|
|
a212af2 |
len += 52; /* tag and header */
|
|
|
a212af2 |
+ if (p->inputChan > 0 &&
|
|
|
a212af2 |
+ p->inputEnt > (UINT_MAX - len) / p->inputChan / 2)
|
|
|
a212af2 |
+ goto overflow;
|
|
|
a212af2 |
+
|
|
|
a212af2 |
len += 2 * (p->inputChan * p->inputEnt);
|
|
|
a212af2 |
- len += 2 * (p->outputChan * uipow(p->clutPoints,p->inputChan));
|
|
|
a212af2 |
+ if (uipow(p->clutPoints,p->inputChan, &pw) ||
|
|
|
a212af2 |
+ (p->outputChan > 0 &&
|
|
|
a212af2 |
+ pw > (UINT_MAX - len) / p->outputChan / 2))
|
|
|
a212af2 |
+ goto overflow;
|
|
|
a212af2 |
+
|
|
|
a212af2 |
+ len += 2 * (p->outputChan * pw);
|
|
|
a212af2 |
+ if (p->outputChan > 0 &&
|
|
|
a212af2 |
+ p->outputEnt > (UINT_MAX - len) / p->outputChan / 2)
|
|
|
a212af2 |
+ goto overflow;
|
|
|
a212af2 |
+
|
|
|
a212af2 |
len += 2 * (p->outputChan * p->outputEnt);
|
|
|
a212af2 |
}
|
|
|
a212af2 |
return len;
|
|
|
a212af2 |
+
|
|
|
a212af2 |
+ overflow:
|
|
|
a212af2 |
+ p->icp->errc = 1;
|
|
|
a212af2 |
+ return (unsigned int) -1;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
|
|
|
a212af2 |
/* read the object, return 0 on success, error code on fail */
|
|
|
a212af2 |
@@ -5678,6 +5773,7 @@ static int icmLut_read(
|
|
|
a212af2 |
icc *icp = p->icp;
|
|
|
a212af2 |
int rv = 0;
|
|
|
a212af2 |
unsigned long i, j, g, size;
|
|
|
a212af2 |
+ unsigned int pw;
|
|
|
a212af2 |
char *bp, *buf;
|
|
|
a212af2 |
|
|
|
a212af2 |
if (len < 4) {
|
|
|
a212af2 |
@@ -5738,6 +5834,11 @@ static int icmLut_read(
|
|
|
a212af2 |
return icp->errc = 1;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
|
|
|
a212af2 |
+ if (p->clutPoints > 100) {
|
|
|
a212af2 |
+ sprintf(icp->err,"icmLut_read: too many clutPoints");
|
|
|
a212af2 |
+ return icp->errc = 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
+
|
|
|
a212af2 |
/* Read 3x3 transform matrix */
|
|
|
a212af2 |
for (j = 0; j < 3; j++) { /* Rows */
|
|
|
a212af2 |
for (i = 0; i < 3; i++) { /* Columns */
|
|
|
a212af2 |
@@ -5755,13 +5856,18 @@ static int icmLut_read(
|
|
|
a212af2 |
bp = buf+52;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
|
|
|
a212af2 |
- if (len < icmLut_get_size((icmBase *)p)) {
|
|
|
a212af2 |
+ if (len < icmLut_get_size((icmBase *)p) || icp->errc) {
|
|
|
a212af2 |
sprintf(icp->err,"icmLut_read: Tag too small for contents");
|
|
|
a212af2 |
icp->al->free(icp->al, buf);
|
|
|
a212af2 |
return icp->errc = 1;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Read the input tables */
|
|
|
a212af2 |
+ if (p->inputEnt > 0 && p->inputChan > UINT_MAX / p->inputEnt) {
|
|
|
a212af2 |
+ sprintf(icp->err,"icmLut_read: overflow");
|
|
|
a212af2 |
+ icp->al->free(icp->al, buf);
|
|
|
a212af2 |
+ return icp->errc = 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
size = (p->inputChan * p->inputEnt);
|
|
|
a212af2 |
if ((rv = p->allocate((icmBase *)p)) != 0) {
|
|
|
a212af2 |
icp->al->free(icp->al, buf);
|
|
|
a212af2 |
@@ -5776,7 +5882,14 @@ static int icmLut_read(
|
|
|
a212af2 |
}
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Read the clut table */
|
|
|
a212af2 |
- size = (p->outputChan * uipow(p->clutPoints,p->inputChan));
|
|
|
a212af2 |
+ if (uipow(p->clutPoints,p->inputChan,&pw) ||
|
|
|
a212af2 |
+ (p->outputChan > 0 &&
|
|
|
a212af2 |
+ pw > UINT_MAX / p->outputChan)) {
|
|
|
a212af2 |
+ sprintf(icp->err,"icmLut_read: overflow");
|
|
|
a212af2 |
+ icp->al->free(icp->al, buf);
|
|
|
a212af2 |
+ return icp->errc = 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
+ size = (p->outputChan * pw);
|
|
|
a212af2 |
if ((rv = p->allocate((icmBase *)p)) != 0) {
|
|
|
a212af2 |
icp->al->free(icp->al, buf);
|
|
|
a212af2 |
return rv;
|
|
|
a212af2 |
@@ -5790,6 +5903,11 @@ static int icmLut_read(
|
|
|
a212af2 |
}
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Read the output tables */
|
|
|
a212af2 |
+ if (p->outputChan > 0 && p->outputEnt > UINT_MAX / p->outputChan) {
|
|
|
a212af2 |
+ sprintf(icp->err,"icmLut_read: overflow");
|
|
|
a212af2 |
+ icp->al->free(icp->al, buf);
|
|
|
a212af2 |
+ return icp->errc = 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
size = (p->outputChan * p->outputEnt);
|
|
|
a212af2 |
if ((rv = p->allocate((icmBase *)p)) != 0) {
|
|
|
a212af2 |
icp->al->free(icp->al, buf);
|
|
|
a212af2 |
@@ -5829,12 +5947,14 @@ static int icmLut_write(
|
|
|
a212af2 |
icmLut *p = (icmLut *)pp;
|
|
|
a212af2 |
icc *icp = p->icp;
|
|
|
a212af2 |
unsigned long i,j;
|
|
|
a212af2 |
- unsigned int len, size;
|
|
|
a212af2 |
+ unsigned int len, size, pw;
|
|
|
a212af2 |
char *bp, *buf; /* Buffer to write from */
|
|
|
a212af2 |
int rv = 0;
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmLut_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -5907,6 +6027,11 @@ static int icmLut_write(
|
|
|
a212af2 |
}
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Write the input tables */
|
|
|
a212af2 |
+ if (p->inputEnt > 0 && p->inputChan > UINT_MAX / p->inputEnt) {
|
|
|
a212af2 |
+ sprintf(icp->err,"icmLut_write: overflow");
|
|
|
a212af2 |
+ icp->al->free(icp->al, buf);
|
|
|
a212af2 |
+ return icp->errc = 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
size = (p->inputChan * p->inputEnt);
|
|
|
a212af2 |
if (p->ttype == icSigLut8Type) {
|
|
|
a212af2 |
for (i = 0; i < size; i++, bp += 1) {
|
|
|
a212af2 |
@@ -5927,7 +6052,14 @@ static int icmLut_write(
|
|
|
a212af2 |
}
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Write the clut table */
|
|
|
a212af2 |
- size = (p->outputChan * uipow(p->clutPoints,p->inputChan));
|
|
|
a212af2 |
+ if (uipow(p->clutPoints,p->inputChan,&pw) ||
|
|
|
a212af2 |
+ (p->outputChan > 0 &&
|
|
|
a212af2 |
+ pw > UINT_MAX / p->outputChan)) {
|
|
|
a212af2 |
+ sprintf(icp->err,"icmLut_write: overflow");
|
|
|
a212af2 |
+ icp->al->free(icp->al, buf);
|
|
|
a212af2 |
+ return icp->errc = 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
+ size = (p->outputChan * pw);
|
|
|
a212af2 |
if (p->ttype == icSigLut8Type) {
|
|
|
a212af2 |
for (i = 0; i < size; i++, bp += 1) {
|
|
|
a212af2 |
if ((rv = write_DCS8Number(p->clutTable[i], bp)) != 0) {
|
|
|
a212af2 |
@@ -5947,6 +6079,11 @@ static int icmLut_write(
|
|
|
a212af2 |
}
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Write the output tables */
|
|
|
a212af2 |
+ if (p->outputChan > 0 && p->outputEnt > UINT_MAX / p->outputChan) {
|
|
|
a212af2 |
+ sprintf(icp->err,"icmLut_write: overflow");
|
|
|
a212af2 |
+ icp->al->free(icp->al, buf);
|
|
|
a212af2 |
+ return icp->errc = 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
size = (p->outputChan * p->outputEnt);
|
|
|
a212af2 |
if (p->ttype == icSigLut8Type) {
|
|
|
a212af2 |
for (i = 0; i < size; i++, bp += 1) {
|
|
|
a212af2 |
@@ -6017,7 +6154,14 @@ static void icmLut_dump(
|
|
|
a212af2 |
if (p->inputChan > MAX_CHAN) {
|
|
|
a212af2 |
op->gprintf(op," !!Can't dump > %d input channel CLUT table!!\n",MAX_CHAN);
|
|
|
a212af2 |
} else {
|
|
|
a212af2 |
- size = (p->outputChan * uipow(p->clutPoints,p->inputChan));
|
|
|
a212af2 |
+ unsigned int pw;
|
|
|
a212af2 |
+ if (uipow(p->clutPoints,p->inputChan,&pw) ||
|
|
|
a212af2 |
+ (p->outputChan > 0 &&
|
|
|
a212af2 |
+ pw > UINT_MAX / p->outputChan)) {
|
|
|
a212af2 |
+ fprintf(op,"Would overflow.\n");
|
|
|
a212af2 |
+ return;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
+ size = (p->outputChan * pw);
|
|
|
a212af2 |
for (j = 0; j < p->inputChan; j++)
|
|
|
a212af2 |
ii[j] = 0;
|
|
|
a212af2 |
for (i = 0; i < size;) {
|
|
|
a212af2 |
@@ -6056,7 +6200,7 @@ static void icmLut_dump(
|
|
|
a212af2 |
static int icmLut_allocate(
|
|
|
a212af2 |
icmBase *pp
|
|
|
a212af2 |
) {
|
|
|
a212af2 |
- unsigned int i, j, g, size;
|
|
|
a212af2 |
+ unsigned int i, j, g, size, pw;
|
|
|
a212af2 |
icmLut *p = (icmLut *)pp;
|
|
|
a212af2 |
icc *icp = p->icp;
|
|
|
a212af2 |
|
|
|
a212af2 |
@@ -6071,6 +6215,10 @@ static int icmLut_allocate(
|
|
|
a212af2 |
return icp->errc = 1;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
|
|
|
a212af2 |
+ if (p->inputEnt > 0 && p->inputChan > UINT_MAX / p->inputEnt) {
|
|
|
a212af2 |
+ sprintf(icp->err,"icmLut_alloc: too many entries");
|
|
|
a212af2 |
+ return icp->errc = 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
size = (p->inputChan * p->inputEnt);
|
|
|
a212af2 |
if (size != p->inputTable_size) {
|
|
|
a212af2 |
if (p->inputTable != NULL)
|
|
|
a212af2 |
@@ -6081,7 +6229,13 @@ static int icmLut_allocate(
|
|
|
a212af2 |
}
|
|
|
a212af2 |
p->inputTable_size = size;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
- size = (p->outputChan * uipow(p->clutPoints,p->inputChan));
|
|
|
a212af2 |
+ if (uipow(p->clutPoints,p->inputChan,&pw) ||
|
|
|
a212af2 |
+ (p->outputChan > 0 &&
|
|
|
a212af2 |
+ pw > UINT_MAX / p->outputChan)) {
|
|
|
a212af2 |
+ sprintf(icp->err,"icmLut_alloc: overflow");
|
|
|
a212af2 |
+ return icp->errc = 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
+ size = (p->outputChan * pw);
|
|
|
a212af2 |
if (size != p->clutTable_size) {
|
|
|
a212af2 |
if (p->clutTable != NULL)
|
|
|
a212af2 |
icp->al->free(icp->al, p->clutTable);
|
|
|
a212af2 |
@@ -6091,6 +6245,10 @@ static int icmLut_allocate(
|
|
|
a212af2 |
}
|
|
|
a212af2 |
p->clutTable_size = size;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
+ if (p->outputChan > 0 && p->outputEnt > UINT_MAX / p->outputChan) {
|
|
|
a212af2 |
+ sprintf(icp->err,"icmLut_alloc: overflow");
|
|
|
a212af2 |
+ return icp->errc = 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
size = (p->outputChan * p->outputEnt);
|
|
|
a212af2 |
if (size != p->outputTable_size) {
|
|
|
a212af2 |
if (p->outputTable != NULL)
|
|
|
a212af2 |
@@ -6286,6 +6444,8 @@ static int icmMeasurement_write(
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmMeasurement_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -6553,13 +6713,20 @@ static unsigned int icmNamedColor_get_si
|
|
|
a212af2 |
len += p->nDeviceCoords * 1; /* bytes for each named color */
|
|
|
a212af2 |
}
|
|
|
a212af2 |
} else { /* Named Color 2 */
|
|
|
a212af2 |
+ unsigned int col;
|
|
|
a212af2 |
len += 8; /* 8 bytes for tag and padding */
|
|
|
a212af2 |
len += 4; /* 4 for vendor specific flags */
|
|
|
a212af2 |
len += 4; /* 4 for count of named colors */
|
|
|
a212af2 |
len += 4; /* 4 for number of device coords */
|
|
|
a212af2 |
len += 32; /* 32 for prefix of color names */
|
|
|
a212af2 |
len += 32; /* 32 for suffix of color names */
|
|
|
a212af2 |
- len += p->count * (32 + 6 + p->nDeviceCoords * 2); /* bytes for each named color */
|
|
|
a212af2 |
+ col = 32 + 6 + p->nDeviceCoords * 2;
|
|
|
a212af2 |
+ if (p->nDeviceCoords > (UINT_MAX - (32 + 6)) / 2 ||
|
|
|
a212af2 |
+ (p->count > 0 && col > (UINT_MAX - len) / p->count)) {
|
|
|
a212af2 |
+ p->icp->errc = 1;
|
|
|
a212af2 |
+ return (unsigned int) -1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
+ len += p->count * col; /* bytes for each named color */
|
|
|
a212af2 |
}
|
|
|
a212af2 |
return len;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -6723,6 +6890,8 @@ static int icmNamedColor_write(
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmNamedColor_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -7116,6 +7285,8 @@ static int icmColorantTable_write(
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmColorantTable_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -7270,9 +7441,22 @@ static unsigned int icmTextDescription_g
|
|
|
a212af2 |
) {
|
|
|
a212af2 |
icmTextDescription *p = (icmTextDescription *)pp;
|
|
|
a212af2 |
unsigned int len = 0;
|
|
|
a212af2 |
+ if (p->size > UINT_MAX - (8 + 4 + 8)) {
|
|
|
a212af2 |
+ p->icp->errc = 1;
|
|
|
a212af2 |
+ return (unsigned int) -1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
len += 8; /* 8 bytes for tag and padding */
|
|
|
a212af2 |
len += 4 + p->size; /* Ascii string length + ascii string */
|
|
|
a212af2 |
- len += 8 + 2 * p->ucSize; /* Unicode language code + length + string */
|
|
|
a212af2 |
+ len += 8; /* Unicode language code + length */
|
|
|
a212af2 |
+ if (p->ucSize > (UINT_MAX - len) / 2) {
|
|
|
a212af2 |
+ p->icp->errc = 1;
|
|
|
a212af2 |
+ return (unsigned int) -1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
+ len += 2 * p->ucSize; /* Unicode string */
|
|
|
a212af2 |
+ if (len > (UINT_MAX - (3 + 67))) {
|
|
|
a212af2 |
+ p->icp->errc = 1;
|
|
|
a212af2 |
+ return (unsigned int) -1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
len += 3 + 67; /* ScriptCode code, length string */
|
|
|
a212af2 |
return len;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -7460,6 +7644,8 @@ static int icmTextDescription_write(
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmTextDescription_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -7710,7 +7896,7 @@ static int icmTextDescription_allocate(
|
|
|
a212af2 |
if (p->ucSize != p->uc_size) {
|
|
|
a212af2 |
if (p->ucDesc != NULL)
|
|
|
a212af2 |
icp->al->free(icp->al, p->ucDesc);
|
|
|
a212af2 |
- if ((p->ucDesc = (ORD16 *) icp->al->malloc(icp->al, p->ucSize * sizeof(ORD16))) == NULL) {
|
|
|
a212af2 |
+ if ((p->ucDesc = (ORD16 *) icp->al->calloc(icp->al, p->ucSize, sizeof(ORD16))) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmTextDescription_alloc: malloc() of Unicode description failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -7986,6 +8172,12 @@ static int icmProfileSequenceDesc_read(
|
|
|
a212af2 |
bp += 8; /* Skip padding */
|
|
|
a212af2 |
|
|
|
a212af2 |
p->count = read_UInt32Number(bp); /* Number of sequence descriptions */
|
|
|
a212af2 |
+ if (p->count > 1000) {
|
|
|
a212af2 |
+ sprintf(icp->err,"icmProfileSequenceDesc_read: too many sequence descriptions");
|
|
|
a212af2 |
+ icp->al->free(icp->al, buf);
|
|
|
a212af2 |
+ return icp->errc = 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
+
|
|
|
a212af2 |
bp += 4;
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Read all the sequence descriptions */
|
|
|
a212af2 |
@@ -8018,6 +8210,8 @@ static int icmProfileSequenceDesc_write(
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmProfileSequenceDesc_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -8088,7 +8282,7 @@ static int icmProfileSequenceDesc_alloca
|
|
|
a212af2 |
if (p->count != p->_count) {
|
|
|
a212af2 |
if (p->data != NULL)
|
|
|
a212af2 |
icp->al->free(icp->al, p->data);
|
|
|
a212af2 |
- if ((p->data = (icmDescStruct *) icp->al->malloc(icp->al, p->count * sizeof(icmDescStruct))) == NULL) {
|
|
|
a212af2 |
+ if ((p->data = (icmDescStruct *) icp->al->calloc(icp->al, p->count, sizeof(icmDescStruct))) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmProfileSequenceDesc_allocate Allocation of DescStruct array failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -8207,6 +8401,8 @@ static int icmSignature_write(
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmSignature_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -8322,6 +8518,10 @@ static unsigned int icmScreening_get_siz
|
|
|
a212af2 |
icmScreening *p = (icmScreening *)pp;
|
|
|
a212af2 |
unsigned int len = 0;
|
|
|
a212af2 |
len += 16; /* 16 bytes for tag, padding, flag & channeles */
|
|
|
a212af2 |
+ if (p->channels > (UINT_MAX - len) / 12) {
|
|
|
a212af2 |
+ p->icp->errc = 1;
|
|
|
a212af2 |
+ return (unsigned int) -1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
len += p->channels * 12; /* 12 bytes for each channel */
|
|
|
a212af2 |
return len;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -8401,6 +8601,8 @@ static int icmScreening_write(
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmScreening_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -8481,7 +8683,7 @@ static int icmScreening_allocate(
|
|
|
a212af2 |
if (p->channels != p->_channels) {
|
|
|
a212af2 |
if (p->data != NULL)
|
|
|
a212af2 |
icp->al->free(icp->al, p->data);
|
|
|
a212af2 |
- if ((p->data = (icmScreeningData *) icp->al->malloc(icp->al, p->channels * sizeof(icmScreeningData))) == NULL) {
|
|
|
a212af2 |
+ if ((p->data = (icmScreeningData *) icp->al->calloc(icp->al, p->channels, sizeof(icmScreeningData))) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmScreening_alloc: malloc() of icmScreening data failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -8532,10 +8734,20 @@ static unsigned int icmUcrBg_get_size(
|
|
|
a212af2 |
icmUcrBg *p = (icmUcrBg *)pp;
|
|
|
a212af2 |
unsigned int len = 0;
|
|
|
a212af2 |
len += 8; /* 8 bytes for tag and padding */
|
|
|
a212af2 |
+ if (p->UCRcount > (UINT_MAX - len - 4) / 2)
|
|
|
a212af2 |
+ goto overflow;
|
|
|
a212af2 |
+
|
|
|
a212af2 |
len += 4 + p->UCRcount * 2; /* Undercolor Removal */
|
|
|
a212af2 |
+ if (p->BGcount > (UINT_MAX - len - 4 - p->size) / 2)
|
|
|
a212af2 |
+ goto overflow;
|
|
|
a212af2 |
+
|
|
|
a212af2 |
len += 4 + p->BGcount * 2; /* Black Generation */
|
|
|
a212af2 |
len += p->size; /* Description string */
|
|
|
a212af2 |
return len;
|
|
|
a212af2 |
+
|
|
|
a212af2 |
+ overflow:
|
|
|
a212af2 |
+ p->icp->errc = 1;
|
|
|
a212af2 |
+ return (unsigned int) -1;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
|
|
|
a212af2 |
/* read the object, return 0 on success, error code on fail */
|
|
|
a212af2 |
@@ -8664,6 +8876,8 @@ static int icmUcrBg_write(
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmUcrBg_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -8829,7 +9043,7 @@ static int icmUcrBg_allocate(
|
|
|
a212af2 |
if (p->UCRcount != p->UCR_count) {
|
|
|
a212af2 |
if (p->UCRcurve != NULL)
|
|
|
a212af2 |
icp->al->free(icp->al, p->UCRcurve);
|
|
|
a212af2 |
- if ((p->UCRcurve = (double *) icp->al->malloc(icp->al, p->UCRcount * sizeof(double))) == NULL) {
|
|
|
a212af2 |
+ if ((p->UCRcurve = (double *) icp->al->calloc(icp->al, p->UCRcount, sizeof(double))) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmUcrBg_allocate: malloc() of UCR curve data failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -8838,7 +9052,7 @@ static int icmUcrBg_allocate(
|
|
|
a212af2 |
if (p->BGcount != p->BG_count) {
|
|
|
a212af2 |
if (p->BGcurve != NULL)
|
|
|
a212af2 |
icp->al->free(icp->al, p->BGcurve);
|
|
|
a212af2 |
- if ((p->BGcurve = (double *) icp->al->malloc(icp->al, p->BGcount * sizeof(double))) == NULL) {
|
|
|
a212af2 |
+ if ((p->BGcurve = (double *) icp->al->calloc(icp->al, p->BGcount, sizeof(double))) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmUcrBg_allocate: malloc() of BG curve data failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -8910,6 +9124,15 @@ static unsigned int icmVideoCardGamma_ge
|
|
|
a212af2 |
len += 2; /* 2 bytes for channels */
|
|
|
a212af2 |
len += 2; /* 2 for entry count */
|
|
|
a212af2 |
len += 2; /* 2 for entry size */
|
|
|
a212af2 |
+ if (p->u.table.entryCount > 0 &&
|
|
|
a212af2 |
+ p->u.table.entrySize > 0 &&
|
|
|
a212af2 |
+ p->u.table.channels >
|
|
|
a212af2 |
+ (UINT_MAX - len) /
|
|
|
a212af2 |
+ p->u.table.entryCount /
|
|
|
a212af2 |
+ p->u.table.entrySize) {
|
|
|
a212af2 |
+ p->icp->errc = 1;
|
|
|
a212af2 |
+ return (unsigned int) -1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
len += ( p->u.table.channels * /* compute table size */
|
|
|
a212af2 |
p->u.table.entryCount *
|
|
|
a212af2 |
p->u.table.entrySize );
|
|
|
a212af2 |
@@ -8929,10 +9152,11 @@ static int icmVideoCardGamma_read(
|
|
|
a212af2 |
) {
|
|
|
a212af2 |
icmVideoCardGamma *p = (icmVideoCardGamma *)pp;
|
|
|
a212af2 |
icc *icp = p->icp;
|
|
|
a212af2 |
- int rv, c;
|
|
|
a212af2 |
+ int rv;
|
|
|
a212af2 |
char *bp, *buf;
|
|
|
a212af2 |
ORD8 *pchar;
|
|
|
a212af2 |
ORD16 *pshort;
|
|
|
a212af2 |
+ unsigned long c;
|
|
|
a212af2 |
|
|
|
a212af2 |
if (len < 18) {
|
|
|
a212af2 |
sprintf(icp->err,"icmVideoCardGamma_read: Tag too small to be legal");
|
|
|
a212af2 |
@@ -8969,6 +9193,16 @@ static int icmVideoCardGamma_read(
|
|
|
a212af2 |
p->u.table.channels = read_UInt16Number(bp+12);
|
|
|
a212af2 |
p->u.table.entryCount = read_UInt16Number(bp+14);
|
|
|
a212af2 |
p->u.table.entrySize = read_UInt16Number(bp+16);
|
|
|
a212af2 |
+ if (p->u.table.entrySize > 65530 || p->u.table.entrySize == 0) {
|
|
|
a212af2 |
+ sprintf(icp->err,"icmVideoCardGamma_read: Too many entries (or none)");
|
|
|
a212af2 |
+ return icp->errc = 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
+ if (p->u.table.entryCount > 0 && p->u.table.entrySize > 0 &&
|
|
|
a212af2 |
+ p->u.table.channels >
|
|
|
a212af2 |
+ UINT_MAX / p->u.table.entryCount / p->u.table.entrySize) {
|
|
|
a212af2 |
+ sprintf(icp->err,"icmVideoCardGamma_read: Overflow reading tag");
|
|
|
a212af2 |
+ return icp->errc = 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
if ((len-18) < (unsigned int)(p->u.table.channels
|
|
|
a212af2 |
* p->u.table.entryCount
|
|
|
a212af2 |
* p->u.table.entrySize)) {
|
|
|
a212af2 |
@@ -9039,6 +9273,8 @@ static int icmVideoCardGamma_write(
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmViewingConditions_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -9211,7 +9447,7 @@ static int icmVideoCardGamma_allocate(
|
|
|
a212af2 |
) {
|
|
|
a212af2 |
icmVideoCardGamma *p = (icmVideoCardGamma *)pp;
|
|
|
a212af2 |
icc *icp = p->icp;
|
|
|
a212af2 |
- int size;
|
|
|
a212af2 |
+ unsigned int size;
|
|
|
a212af2 |
|
|
|
a212af2 |
/* note: allocation is only relevant for table type
|
|
|
a212af2 |
* and in that case the channels, entryCount, and entrySize
|
|
|
a212af2 |
@@ -9221,6 +9457,11 @@ static int icmVideoCardGamma_allocate(
|
|
|
a212af2 |
if (p->tagType == icmVideoCardGammaTableType) {
|
|
|
a212af2 |
if (p->u.table.data != NULL)
|
|
|
a212af2 |
icp->al->free(icp->al, p->u.table.data);
|
|
|
a212af2 |
+ if (p->u.table.entryCount > 0 &&
|
|
|
a212af2 |
+ p->u.table.channels > UINT_MAX / p->u.table.entryCount) {
|
|
|
a212af2 |
+ sprintf(icp->err,"icmVideoCardGamma_alloc: table too large");
|
|
|
a212af2 |
+ return icp->errc = 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
size = (p->u.table.channels *
|
|
|
a212af2 |
p->u.table.entryCount);
|
|
|
a212af2 |
switch (p->u.table.entrySize) {
|
|
|
a212af2 |
@@ -9228,6 +9469,10 @@ static int icmVideoCardGamma_allocate(
|
|
|
a212af2 |
size *= sizeof(ORD8);
|
|
|
a212af2 |
break;
|
|
|
a212af2 |
case 2:
|
|
|
a212af2 |
+ if (size > UINT_MAX / sizeof(unsigned short)) {
|
|
|
a212af2 |
+ sprintf(icp->err,"icmVideoCardGamma_alloc: table too large");
|
|
|
a212af2 |
+ return icp->errc = 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
size *= sizeof(unsigned short);
|
|
|
a212af2 |
break;
|
|
|
a212af2 |
default:
|
|
|
a212af2 |
@@ -9428,6 +9673,8 @@ static int icmViewingConditions_write(
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmViewingConditions_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -9660,6 +9907,8 @@ static int icmCrdInfo_write(
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate a file write buffer */
|
|
|
a212af2 |
len = p->get_size((icmBase *)p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(icp->err,"icmCrdInfo_write malloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -9977,6 +10226,8 @@ static int icmHeader_write(
|
|
|
a212af2 |
int rv = 0;
|
|
|
a212af2 |
|
|
|
a212af2 |
len = p->get_size(p);
|
|
|
a212af2 |
+ if (icp->errc)
|
|
|
a212af2 |
+ return icp->errc;
|
|
|
a212af2 |
if ((buf = (char *) icp->al->calloc(icp->al,1,len)) == NULL) { /* Zero it - some CMS are fussy */
|
|
|
a212af2 |
sprintf(icp->err,"icmHeader_write calloc() failed");
|
|
|
a212af2 |
return icp->errc = 2;
|
|
|
a212af2 |
@@ -10563,13 +10814,23 @@ static int icc_read_x(
|
|
|
a212af2 |
}
|
|
|
a212af2 |
|
|
|
a212af2 |
p->count = read_UInt32Number(tcbuf); /* Tag count */
|
|
|
a212af2 |
+ if (p->count > 100) {
|
|
|
a212af2 |
+ sprintf(p->err,"icc_read: too many table tags");
|
|
|
a212af2 |
+ return p->errc = 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
if (p->count > 0) {
|
|
|
a212af2 |
char *bp, *buf;
|
|
|
a212af2 |
- if ((p->data = (icmTag *) p->al->malloc(p->al, p->count * sizeof(icmTag))) == NULL) {
|
|
|
a212af2 |
+ if ((p->data = (icmTag *) p->al->calloc(p->al, p->count, sizeof(icmTag))) == NULL) {
|
|
|
a212af2 |
sprintf(p->err,"icc_read: Tag table malloc() failed");
|
|
|
a212af2 |
return p->errc = 2;
|
|
|
a212af2 |
}
|
|
|
a212af2 |
|
|
|
a212af2 |
+ if (p->count > (UINT_MAX - 4) / 12) {
|
|
|
a212af2 |
+ sprintf(p->err,"icc_read: overflow");
|
|
|
a212af2 |
+ p->al->free(p->al, p->data);
|
|
|
a212af2 |
+ p->data = NULL;
|
|
|
a212af2 |
+ return p->errc = 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
len = 4 + p->count * 12;
|
|
|
a212af2 |
if ((buf = (char *) p->al->malloc(p->al, len)) == NULL) {
|
|
|
a212af2 |
sprintf(p->err,"icc_read: Tag table read buffer malloc() failed");
|
|
|
a212af2 |
@@ -10592,6 +10853,14 @@ static int icc_read_x(
|
|
|
a212af2 |
p->data[i].sig = (icTagSignature)read_SInt32Number(bp + 0);
|
|
|
a212af2 |
p->data[i].offset = read_UInt32Number(bp + 4);
|
|
|
a212af2 |
p->data[i].size = read_UInt32Number(bp + 8);
|
|
|
a212af2 |
+ if (p->data[i].offset + p->data[i].size >
|
|
|
a212af2 |
+ p->header->size) {
|
|
|
a212af2 |
+ sprintf(p->err,"icc_read: tag out of bounds");
|
|
|
a212af2 |
+ p->al->free(p->al, p->data);
|
|
|
a212af2 |
+ p->data = NULL;
|
|
|
a212af2 |
+ p->al->free(p->al, buf);
|
|
|
a212af2 |
+ return p->errc = 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
if ( p->fp->seek(p->fp, of + p->data[i].offset) != 0
|
|
|
a212af2 |
|| p->fp->read(p->fp, tcbuf, 1, 4) != 4) {
|
|
|
a212af2 |
sprintf(p->err,"icc_read: fseek() or fread() failed on tag headers");
|
|
|
a212af2 |
@@ -10728,9 +10997,19 @@ static unsigned int icc_get_size(
|
|
|
a212af2 |
}
|
|
|
a212af2 |
|
|
|
a212af2 |
size += p->header->get_size(p->header);
|
|
|
a212af2 |
+ if (p->errc)
|
|
|
a212af2 |
+ return (unsigned int) -1;
|
|
|
a212af2 |
/* Assume header is aligned */
|
|
|
a212af2 |
+ if (p->count > (UINT_MAX - 4 - size) / 12) {
|
|
|
a212af2 |
+ p->errc = 1;
|
|
|
a212af2 |
+ return (unsigned int) -1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
size += 4 + p->count * 12; /* Tag table length */
|
|
|
a212af2 |
size = DO_ALIGN(size);
|
|
|
a212af2 |
+ if (size == 0) {
|
|
|
a212af2 |
+ p->errc = 1;
|
|
|
a212af2 |
+ return (unsigned int) -1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Reset touched flag for each tag type */
|
|
|
a212af2 |
for (i = 0; i < p->count; i++) {
|
|
|
a212af2 |
@@ -10744,8 +11023,13 @@ static unsigned int icc_get_size(
|
|
|
a212af2 |
/* Get size for each tag type, skipping links */
|
|
|
a212af2 |
for (i = 0; i < p->count; i++) {
|
|
|
a212af2 |
if (p->data[i].objp->touched == 0) { /* Not alllowed for previously */
|
|
|
a212af2 |
- size += p->data[i].objp->get_size(p->data[i].objp);
|
|
|
a212af2 |
+ unsigned int obj_size;
|
|
|
a212af2 |
size = DO_ALIGN(size);
|
|
|
a212af2 |
+ obj_size = p->data[i].objp->get_size(p->data[i].objp);
|
|
|
a212af2 |
+ if (size == 0 || p->errc ||
|
|
|
a212af2 |
+ obj_size > UINT_MAX - size)
|
|
|
a212af2 |
+ return (unsigned int) -1;
|
|
|
a212af2 |
+ size += obj_size;
|
|
|
a212af2 |
p->data[i].objp->touched = 1; /* Don't account for this again */
|
|
|
a212af2 |
}
|
|
|
a212af2 |
}
|
|
|
a212af2 |
@@ -10787,11 +11071,27 @@ static int icc_write_x(
|
|
|
a212af2 |
}
|
|
|
a212af2 |
|
|
|
a212af2 |
size += p->header->get_size(p->header);
|
|
|
a212af2 |
+ if (p->errc)
|
|
|
a212af2 |
+ return p->errc;
|
|
|
a212af2 |
+
|
|
|
a212af2 |
/* Assume header is aligned */
|
|
|
a212af2 |
|
|
|
a212af2 |
+ if (p->count > (UINT_MAX - 4 - len) / 12) {
|
|
|
a212af2 |
+ sprintf(p->err,"icc_write: too many tags");
|
|
|
a212af2 |
+ return p->errc = 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
len = 4 + p->count * 12; /* Tag table length */
|
|
|
a212af2 |
- len = DO_ALIGN(size + len) - size; /* Aligned size */
|
|
|
a212af2 |
- size = DO_ALIGN(size + len);
|
|
|
a212af2 |
+ if (size > (UINT_MAX - len)) {
|
|
|
a212af2 |
+ sprintf(p->err,"icc_write: overflow writing tag table");
|
|
|
a212af2 |
+ return p->errc = 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
+ len = DO_ALIGN(size + len);
|
|
|
a212af2 |
+ if (len == 0) {
|
|
|
a212af2 |
+ sprintf(p->err,"icc_write: overflow writing tag table");
|
|
|
a212af2 |
+ return p->errc = 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
+ len -= size; /* Aligned size */
|
|
|
a212af2 |
+ size = DO_ALIGN(size + len); /* now known not to overflow */
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Allocate memory buffer for tag table */
|
|
|
a212af2 |
if ((buf = (char *) p->al->calloc(p->al, 1, len)) == NULL) {
|
|
|
a212af2 |
@@ -10821,9 +11121,19 @@ static int icc_write_x(
|
|
|
a212af2 |
if (p->data[i].objp->touched == 0) { /* Allocate space for tag type */
|
|
|
a212af2 |
p->data[i].offset = size; /* Profile relative target */
|
|
|
a212af2 |
p->data[i].size = p->data[i].objp->get_size(p->data[i].objp);
|
|
|
a212af2 |
+ if (p->errc || p->data[i].size > UINT_MAX - size) {
|
|
|
a212af2 |
+ sprintf(p->err,"icc_write: internal error - overflow?");
|
|
|
a212af2 |
+ p->al->free(p->al, buf);
|
|
|
a212af2 |
+ return p->errc = 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
size += p->data[i].size;
|
|
|
a212af2 |
p->data[i].pad = DO_ALIGN(size) - size;
|
|
|
a212af2 |
size = DO_ALIGN(size);
|
|
|
a212af2 |
+ if (size == 0) {
|
|
|
a212af2 |
+ sprintf(p->err,"icc_write: overflow");
|
|
|
a212af2 |
+ p->al->free(p->al, buf);
|
|
|
a212af2 |
+ return p->errc = 1;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
p->data[i].objp->touched = 1; /* Allocated space for it */
|
|
|
a212af2 |
} else { /* must be linked - copy allocation */
|
|
|
a212af2 |
unsigned int k;
|
|
|
a212af2 |
@@ -11058,6 +11368,16 @@ static icmBase *icc_add_tag(
|
|
|
a212af2 |
}
|
|
|
a212af2 |
|
|
|
a212af2 |
/* Make space in tag table for new tag item */
|
|
|
a212af2 |
+ if (p->count > (UINT_MAX / sizeof(icmTag)) - 1) {
|
|
|
a212af2 |
+ sprintf(p->err,"icc_add_tag: overflow");
|
|
|
a212af2 |
+ p->errc = 1;
|
|
|
a212af2 |
+ return NULL;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
+ if (p->count > (UINT_MAX / sizeof(icmTag)) - 1) {
|
|
|
a212af2 |
+ sprintf(p->err,"icc_link_tag: overflow");
|
|
|
a212af2 |
+ p->errc = 1;
|
|
|
a212af2 |
+ return NULL;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
if (p->data == NULL)
|
|
|
a212af2 |
tp = (icmBase *)p->al->malloc(p->al, (p->count+1) * sizeof(icmTag));
|
|
|
a212af2 |
else
|
|
|
a212af2 |
@@ -16161,7 +16481,9 @@ double *chmax /* device return chann
|
|
|
a212af2 |
|
|
|
a212af2 |
lut = ll->lut;
|
|
|
a212af2 |
gp = lut->clutTable; /* Base of grid array */
|
|
|
a212af2 |
- size = uipow(lut->clutPoints,lut->inputChan);
|
|
|
a212af2 |
+ if (uipow(lut->clutPoints,lut->inputChan,&size) || size < 0) {
|
|
|
a212af2 |
+ return -1.0;
|
|
|
a212af2 |
+ }
|
|
|
a212af2 |
for (i = 0; i < size; i++) {
|
|
|
a212af2 |
double tot, vv[MAX_CHAN];
|
|
|
a212af2 |
|