...
 
Commits (2)
lcms2 (2.9-3) unstable; urgency=medium
* Fix integer overflow in AllocateDataSet() (CVE-2018-16435)
Thanks to Salvatore Bonaccorso <carnil@debian.org> and
Marti Maria <marti.maria@littlecms.com>
(Closes: #907983)
-- Thomas Weber <tweber@debian.org> Wed, 05 Sep 2018 17:59:06 +0200
lcms2 (2.9-2) unstable; urgency=medium
* Switch Vcs links to salsa.debian.org
......
Description: Fix multiple integer overflows in AllocateDataSet()
Fix for CVE-2018-16435
.
Author: Marti Maria <marti.maria@littlecms.com>
Origin: upstream, https://github.com/mm2/Little-CMS/commit/768f70ca405cd3159d990e962d54456773bb8cf8
Bug: https://github.com/mm2/Little-CMS/issues/171
Bug-Debian: http://bugs.debian.org/907983
Forwarded: not-needed
Applied-upstream: https://github.com/mm2/Little-CMS/commit/768f70ca405cd3159d990e962d54456773bb8cf8
diff --git a/src/cmscgats.c b/src/cmscgats.c
index 1a87613..8c3e96d 100644
--- a/src/cmscgats.c
+++ b/src/cmscgats.c
@@ -1506,10 +1506,16 @@ void AllocateDataSet(cmsIT8* it8)
t-> nSamples = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_FIELDS"));
t-> nPatches = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_SETS"));
- t-> Data = (char**)AllocChunk (it8, ((cmsUInt32Number) t->nSamples + 1) * ((cmsUInt32Number) t->nPatches + 1) *sizeof (char*));
- if (t->Data == NULL) {
+ if (t -> nSamples < 0 || t->nSamples > 0x7ffe || t->nPatches < 0 || t->nPatches > 0x7ffe)
+ {
+ SynError(it8, "AllocateDataSet: too much data");
+ }
+ else {
+ t->Data = (char**)AllocChunk(it8, ((cmsUInt32Number)t->nSamples + 1) * ((cmsUInt32Number)t->nPatches + 1) * sizeof(char*));
+ if (t->Data == NULL) {
- SynError(it8, "AllocateDataSet: Unable to allocate data array");
+ SynError(it8, "AllocateDataSet: Unable to allocate data array");
+ }
}
}
prepare-for-libtoolizing.patch
dont-write-uninitialized-memory-for-color-strings.patch
CVE-2018-16435.patch