icc: add offset bounds checks to read_sign

author Øyvind Kolås <pippin@gimp.org>

Wed, 3 Feb 2021 00:00:16 +0000 (01:00 +0100)

committer Øyvind Kolås <pippin@gimp.org>

Wed, 3 Feb 2021 00:10:38 +0000 (01:10 +0100)
author Øyvind Kolås <pippin@gimp.org>
Wed, 3 Feb 2021 00:00:16 +0000 (01:00 +0100)
committer Øyvind Kolås <pippin@gimp.org>
Wed, 3 Feb 2021 00:10:38 +0000 (01:10 +0100)
diff --git a/babl/babl-icc.c b/babl/babl-icc.c

index b5e42694713c16a39be04ac03bb2c98908d16c15..52a35d2a5a9b7c76d95829271eb09ed9e39f3b00 100644 (file)
--- a/babl/babl-icc.c
+++ b/babl/babl-icc.c
@@ -322,6 +322,11 @@ read_sign (ICC *state,
             int  offset)
  {
    sign_t ret;
+  if (offset < 0 || offset > state->length - 4)
+  {
+    for (int i = 0; i < 5; i ++) ret.str[0]=0;
+    return ret;
+  }
    ret.str[0]=icc_read (u8, offset);
    ret.str[1]=icc_read (u8, offset + 1);
    ret.str[2]=icc_read (u8, offset + 2);
@@ -1191,7 +1196,7 @@ babl_space_from_icc (const char   *icc_data,
                  trc_red, trc_green, trc_blue);
  
         babl_free (state);
-       ret->space.icc_length = icc_length;
+       ret->space.icc_length  = icc_length;
         ret->space.icc_profile = malloc (icc_length);
         memcpy (ret->space.icc_profile, icc_data, icc_length);
         return ret;
author	Øyvind Kolås <pippin@gimp.org>
	Wed, 3 Feb 2021 00:00:16 +0000 (01:00 +0100)
committer	Øyvind Kolås <pippin@gimp.org>
	Wed, 3 Feb 2021 00:10:38 +0000 (01:10 +0100)