Description: Fix multiple integer overflows in AllocateDataSet()
Fix for CVE-2018-16435
.
Author: Marti Maria <marti.maria@littlecms.com>
Origin: upstream, https://github.com/mm2/Little-CMS/commit/768f70ca405cd3159d990e962d54456773bb8cf8
Bug: https://github.com/mm2/Little-CMS/issues/171
Bug-Debian: http://bugs.debian.org/907983
Forwarded: not-needed
Applied-upstream: https://github.com/mm2/Little-CMS/commit/768f70ca405cd3159d990e962d54456773bb8cf8
diff --git a/src/cmscgats.c b/src/cmscgats.c
index 1a87613..8c3e96d 100644
--- a/src/cmscgats.c
+++ b/src/cmscgats.c
@@ -1506,10 +1506,16 @@ void AllocateDataSet(cmsIT8* it8)
t-> nSamples = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_FIELDS"));
t-> nPatches = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_SETS"));
- t-> Data = (char**)AllocChunk (it8, ((cmsUInt32Number) t->nSamples + 1) * ((cmsUInt32Number) t->nPatches + 1) *sizeof (char*));
- if (t->Data == NULL) {
+ if (t -> nSamples < 0 || t->nSamples > 0x7ffe || t->nPatches < 0 || t->nPatches > 0x7ffe)
+ {
+ SynError(it8, "AllocateDataSet: too much data");
+ }
+ else {
+ t->Data = (char**)AllocChunk(it8, ((cmsUInt32Number)t->nSamples + 1) * ((cmsUInt32Number)t->nPatches + 1) * sizeof(char*));
+ if (t->Data == NULL) {
- SynError(it8, "AllocateDataSet: Unable to allocate data array");
+ SynError(it8, "AllocateDataSet: Unable to allocate data array");
+ }
}
}
distrib
>
Mageia
>
6
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
6b5753fbac51e83db1faf690701c3f3a
>
files
>
3
