aboutsummaryrefslogtreecommitdiffstats
path: root/main/lcms2/CVE-2016-10165.patch
blob: f0e452f3b5e05332553d0e7ef929cd1472cf6273 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
commit 5ca71a7bc18b6897ab21d815d15e218e204581e2
Author: Marti <marti.maria@tktbrainpower.com>
Date:   Mon Aug 15 23:31:39 2016 +0200

    Added an extra check to MLU bounds
    
    Thanks to Ibrahim el-sayed for spotting the bug

diff --git a/src/cmstypes.c b/src/cmstypes.c
index cb61860..c7328b9 100644
--- a/src/cmstypes.c
+++ b/src/cmstypes.c
@@ -1460,6 +1460,7 @@ void *Type_MLU_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU
 
         // Check for overflow
         if (Offset < (SizeOfHeader + 8)) goto Error;
+        if ((Offset + Len) > SizeOfTag + 8) goto Error;
 
         // True begin of the string
         BeginOfThisString = Offset - SizeOfHeader - 8;