summaryrefslogtreecommitdiff
path: root/gs/icclib
AgeCommit message (Collapse)AuthorFilesLines
2009-07-28Add bounds checking to various icclib functions.Ralph Giles1-69/+401
Based on a set of patches by Jan Lieskovsky at Red Hat, addressing CVE-2009-0583 and CVE-2009-0792. Details: Various _get_size and _write methods in icclib 2.01 were vulnerable to integer overflow from corrupt or malicious profile data. This commit makes a number of changes to address this. First, it enforces bounds checking on array indicies generated through tag data lookup or floating point calculations, either throwing an error or clamping, depending on the context. Second, it converts a number of malloc(nelement*size) calls into calloc(nelements, size), passing responsibility for overflow control to the standard library. This works on recent glibc, MacOS 10.4 (at least) and MSVC 2005 (at least; I believe MSVC 6 doesn't check for overflow). Systems which overcommit memory allocations generally also lazily zero pages, so the performance implications of an overflow in calloc() resulting in a huge allocation (or the same happening at the request of corrupt or malicious ICC profile data) are not as bad as might appear relative to the original malloc(). From the other side, multi-processing systems must often zero pages delivered to malloc anyway to prevent information leakage. On top of Jan's patches, this commit uses a fallback for SIZE_MAX, a stdint.h define which isn't available on all platforms (notably MSVC), and changes a number error message to match the malloc->calloc changes. It fixes a serious bug where the new error checking code incorrectly rejected valid profiles with an MLUT but no black point tag. icc_get_luobj() always tried to load the black point tag, and if it wasn't found, icc_read_tag() would set an error flag, which was later picked up in icmLut_read() by the check added for the results of icmLut_get_size(). Since the black point tag is optional, and icclib already substitutes a default (0,0,0) black point if none is contained in the profile, we just reset the error condition within icc_get_luobj(). vtm2k.pdf is a good testfile for this issue. Likewise, the length of lookup tables was limited to 100 points, as a resource consumption constraint, but the spec allows LUTs with up to 255 points. Bug690495.pdf from the regression suite triggered this problem. Thanks to Michael Vrhel for these last two fixes. Expected Differences: None. git-svn-id: http://svn.ghostscript.com/ghostscript/trunk@9895 a1074d23-0009-0410-80fe-cf8c14f379e6
2008-05-09Reject incorrect ICC profile that has 0 offset in one of the tagsAlex Cherepanov1-10/+19
and use alternate color space. Bug 689830. DIFFERENCES: None git-svn-id: http://svn.ghostscript.com/ghostscript/trunk@8722 a1074d23-0009-0410-80fe-cf8c14f379e6
2006-05-24Cast character values to (unsigned char) before calling isprint() andRalph Giles1-4/+4
friends. They are designed to work only with ASCII characters, but some implementations support passing 8 bit character data but only if it is positive to avoid conflict with a (-1) definition of EOF. Thus we should cast to map the high characters from negative to positive values on systems where char is signed by default. Bug 687529. git-svn-id: http://svn.ghostscript.com/ghostscript/trunk@6805 a1074d23-0009-0410-80fe-cf8c14f379e6
2004-09-28Cast the read standard illuminant to icIlluminant instead ofRalph Giles1-1/+1
icStandardFlare inside icmMeasurement_read() inside the icc library. Not really our code, but resolves an enum mis-match warning. Bug 687694. git-svn-id: http://svn.ghostscript.com/ghostscript/trunk@5387 a1074d23-0009-0410-80fe-cf8c14f379e6
2003-08-26Fixing all MSVC compiler warnings (icclib).Igor Melichev1-2/+2
git-svn-id: http://svn.ghostscript.com/ghostscript/trunk@4169 a1074d23-0009-0410-80fe-cf8c14f379e6
2002-04-22Update icclib to the latest 2.02 release.Ralph Giles6-217/+36
git-svn-id: http://svn.ghostscript.com/ghostscript/trunk@2570 a1074d23-0009-0410-80fe-cf8c14f379e6
2002-04-18Removes trailing comma in enum.Raph Levien1-1/+1
git-svn-id: http://svn.ghostscript.com/ghostscript/trunk@2531 a1074d23-0009-0410-80fe-cf8c14f379e6
2002-04-18Upgrade icclib to (proposed) 2.01 release. Patch has been sent toRaph Levien3-251/+522
Graeme Gill for consideration. git-svn-id: http://svn.ghostscript.com/ghostscript/trunk@2530 a1074d23-0009-0410-80fe-cf8c14f379e6
2001-10-19Updates icclib to version 2.0, and integrates icclib changes. InRaph Levien6-2242/+4683
particular, icclib now accesses Ghostscript streams through the clean icmFile object interface, rather than previous hack. Removes remnants of previous hack, including gs_stdio.h header file and sread() and swrite() functions in stream.c. git-svn-id: http://svn.ghostscript.com/ghostscript/trunk@1793 a1074d23-0009-0410-80fe-cf8c14f379e6
2001-06-06This is the fix for [ #425014 ] Compile error on AIX in icc.c.Dan Coby1-1/+1
The control87 is not defined on AIX systems (or probably on anything but x86 systems). This was suggested by Graeme Gill. git-svn-id: http://svn.ghostscript.com/ghostscript/trunk@1526 a1074d23-0009-0410-80fe-cf8c14f379e6
2001-04-20Patches for OpenVMSJacob Jansen1-3/+3
git-svn-id: http://svn.ghostscript.com/ghostscript/trunk@1439 a1074d23-0009-0410-80fe-cf8c14f379e6
2001-04-07Fix: two small issues with compilation under xlc on IBM AIX RS6000, a nameRalph Giles2-12/+12
conflict with structures names (u)int64, and trailing commas in enum declarations. Patch from Dan Coby. Sourceforge bug #414328. git-svn-id: http://svn.ghostscript.com/ghostscript/trunk@1401 a1074d23-0009-0410-80fe-cf8c14f379e6
2001-03-19Moves patched icclib 1.23 files into the new icclib/ subdirectory, withRaph Levien6-0/+13034
makefile changes to match. Adds missing COPYRIGHT and other documentation to icclib. Thanks to L. Peter Deutsch for pointing out the need. git-svn-id: http://svn.ghostscript.com/ghostscript/trunk@1276 a1074d23-0009-0410-80fe-cf8c14f379e6
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-22 21:49:55 +0000