25457171 problem in UTILITY/LCMS
authorRich Burridge <rich.burridge@oracle.com>
Thu, 26 Jan 2017 13:56:09 -0800
changeset 7614 28cf33312cab
parent 7613 a31c7604d93f
child 7617 14b1a4293086
25457171 problem in UTILITY/LCMS
components/lcms2/patches/02-CVE-2016-10165.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/lcms2/patches/02-CVE-2016-10165.patch	Thu Jan 26 13:56:09 2017 -0800
@@ -0,0 +1,25 @@
+Fix for CVE-2016-10165.
+
+An out-of-bounds heap read in lcms2 ("Little Colour Management System"),
+in the function Type_MLU_Read in cmstypes.c.  This could be triggered by
+an untrusted image with a crafted ICC profile.
+
+Fixed in commit:
+
+  https://github.com/mm2/Little-CMS/commit/5ca71a7b
+
+CVE request:
+
+  http://seclists.org/oss-sec/2016/q3/288
+
+--- lcms2-2.7/src/cmstypes.c.orig	2017-01-26 12:03:40.909307381 +0000
++++ lcms2-2.7/src/cmstypes.c	2017-01-26 12:04:13.140820287 +0000
[email protected]@ -1454,7 +1454,7 @@
+         if (!_cmsReadUInt32Number(io, &Offset)) goto Error;
+ 
+         // Check for overflow
+-        if (Offset < (SizeOfHeader + 8)) goto Error;
++        if ((Offset + Len) > SizeOfTag + 8) goto Error;
+ 
+         // True begin of the string
+         BeginOfThisString = Offset - SizeOfHeader - 8;