From fe8d3839799adbaf2783ebf27f1433ff8d5abd69 Mon Sep 17 00:00:00 2001 From: Marti Maria Date: Tue, 16 Apr 2024 12:11:13 +0200 Subject: [PATCH] Be more strict on number of fields Perform some extra checks to prevent crafted IT8 --- src/cmscgats.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/src/cmscgats.c b/src/cmscgats.c index 0a1905c3..657e76e1 100644 --- a/src/cmscgats.c +++ b/src/cmscgats.c @@ -1206,6 +1206,7 @@ void* AllocChunk(cmsIT8* it8, cmsUInt32Number size) cmsUInt8Number* ptr; size = _cmsALIGNMEM(size); + if (size == 0) return NULL; if (size > Free) { @@ -1598,22 +1599,26 @@ cmsInt32Number satoi(const char* b) static cmsBool AllocateDataFormat(cmsIT8* it8) { + cmsUInt32Number size; + TABLE* t = GetTable(it8); - if (t -> DataFormat) return TRUE; // Already allocated + if (t->DataFormat) return TRUE; // Already allocated - t -> nSamples = satoi(cmsIT8GetProperty(it8, "NUMBER_OF_FIELDS")); + t->nSamples = satoi(cmsIT8GetProperty(it8, "NUMBER_OF_FIELDS")); - if (t -> nSamples <= 0) { + if (t->nSamples <= 0 || t->nSamples > 0x7ffe) { - SynError(it8, "AllocateDataFormat: Unknown NUMBER_OF_FIELDS"); - return FALSE; - } + SynError(it8, "Wrong NUMBER_OF_FIELDS"); + return FALSE; + } + + size = ((cmsUInt32Number)t->nSamples + 1) * sizeof(char*); - t -> DataFormat = (char**) AllocChunk (it8, ((cmsUInt32Number) t->nSamples + 1) * sizeof(char *)); + t->DataFormat = (char**)AllocChunk(it8, size); if (t->DataFormat == NULL) { - SynError(it8, "AllocateDataFormat: Unable to allocate dataFormat array"); + SynError(it8, "Unable to allocate dataFormat array"); return FALSE; } @@ -1642,7 +1647,7 @@ cmsBool SetDataFormat(cmsIT8* it8, int n, const char *label) return FALSE; } - if (n > t -> nSamples) { + if (n >= t -> nSamples) { SynError(it8, "More than NUMBER_OF_FIELDS fields."); return FALSE; }