aboutsummaryrefslogtreecommitdiffstats
path: root/main/lcms2/CVE-2016-10165.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/lcms2/CVE-2016-10165.patch')
-rw-r--r--main/lcms2/CVE-2016-10165.patch20
1 files changed, 20 insertions, 0 deletions
diff --git a/main/lcms2/CVE-2016-10165.patch b/main/lcms2/CVE-2016-10165.patch
new file mode 100644
index 0000000000..f0e452f3b5
--- /dev/null
+++ b/main/lcms2/CVE-2016-10165.patch
@@ -0,0 +1,20 @@
+commit 5ca71a7bc18b6897ab21d815d15e218e204581e2
+Author: Marti <marti.maria@tktbrainpower.com>
+Date: Mon Aug 15 23:31:39 2016 +0200
+
+ Added an extra check to MLU bounds
+
+ Thanks to Ibrahim el-sayed for spotting the bug
+
+diff --git a/src/cmstypes.c b/src/cmstypes.c
+index cb61860..c7328b9 100644
+--- a/src/cmstypes.c
++++ b/src/cmstypes.c
+@@ -1460,6 +1460,7 @@ void *Type_MLU_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU
+
+ // Check for overflow
+ if (Offset < (SizeOfHeader + 8)) goto Error;
++ if ((Offset + Len) > SizeOfTag + 8) goto Error;
+
+ // True begin of the string
+ BeginOfThisString = Offset - SizeOfHeader - 8;
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-07 21:38:18 +0000