1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
Description: Sanity check the profile version, fix for CVE-2014-0459
The patch was changed to still call cmsWhitePointFromTemp(),
see https://github.com/mm2/Little-CMS/issues/30
Origin: upstream, https://github.com/mm2/Little-CMS/commit/74ba391
Bug: https://github.com/mm2/Little-CMS/issues/29
Bug-Debian: https://bugs.debian.org/745471
Forwarded: not-needed
Applied-Upstream: https://github.com/mm2/Little-CMS/commit/74ba391
Last-Update: 2014-04-25
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/src/cmscnvrt.c
+++ b/src/cmscnvrt.c
@@ -1045,7 +1045,7 @@
if (TheIntents[i] == INTENT_PERCEPTUAL || TheIntents[i] == INTENT_SATURATION) {
// Force BPC for V4 profiles in perceptual and saturation
- if (cmsGetProfileVersion(hProfiles[i]) >= 4.0)
+ if (cmsGetEncodedICCversion(hProfiles[i]) >= 0x4000000)
BPC[i] = TRUE;
}
}
--- a/src/cmsintrp.c
+++ b/src/cmsintrp.c
@@ -929,7 +929,7 @@
Rest = c1 * rx + c2 * ry + c3 * rz;
- Tmp1[OutChan] = (cmsUInt16Number) c0 + ROUND_FIXED_TO_INT(_cmsToFixedDomain(Rest));
+ Tmp1[OutChan] = (cmsUInt16Number) ( c0 + ROUND_FIXED_TO_INT(_cmsToFixedDomain(Rest)));
}
@@ -993,7 +993,7 @@
Rest = c1 * rx + c2 * ry + c3 * rz;
- Tmp2[OutChan] = (cmsUInt16Number) c0 + ROUND_FIXED_TO_INT(_cmsToFixedDomain(Rest));
+ Tmp2[OutChan] = (cmsUInt16Number) (c0 + ROUND_FIXED_TO_INT(_cmsToFixedDomain(Rest)));
}
--- a/src/cmsio0.c
+++ b/src/cmsio0.c
@@ -623,6 +623,32 @@
}
+
+// Enforces that the profile version is per. spec.
+// Operates on the big endian bytes from the profile.
+// Called before converting to platform endianness.
+// Byte 0 is BCD major version, so max 9.
+// Byte 1 is 2 BCD digits, one per nibble.
+// Reserved bytes 2 & 3 must be 0.
+static
+cmsUInt32Number _validatedVersion(cmsUInt32Number DWord)
+{
+ cmsUInt8Number* pByte = (cmsUInt8Number*) &DWord;
+ cmsUInt8Number temp1;
+ cmsUInt8Number temp2;
+
+ if (*pByte > 0x09) *pByte = (cmsUInt8Number) 0x09;
+ temp1 = *(pByte+1) & 0xf0;
+ temp2 = *(pByte+1) & 0x0f;
+ if (temp1 > 0x90) temp1 = 0x90;
+ if (temp2 > 0x09) temp2 = 0x09;
+ *(pByte+1) = (cmsUInt8Number)(temp1 | temp2);
+ *(pByte+2) = (cmsUInt8Number)0;
+ *(pByte+3) = (cmsUInt8Number)0;
+
+ return DWord;
+}
+
// Read profile header and validate it
cmsBool _cmsReadHeader(_cmsICCPROFILE* Icc)
{
@@ -657,7 +683,7 @@
Icc -> creator = _cmsAdjustEndianess32(Header.creator);
_cmsAdjustEndianess64(&Icc -> attributes, &Header.attributes);
- Icc -> Version = _cmsAdjustEndianess32(Header.version);
+ Icc -> Version = _cmsAdjustEndianess32(_validatedVersion(Header.version));
// Get size as reported in header
HeaderSize = _cmsAdjustEndianess32(Header.size);
--- a/src/cmsio1.c
+++ b/src/cmsio1.c
@@ -906,7 +906,7 @@
{
if (!cmsWriteTag(hProfile, cmsSigProfileSequenceDescTag, seq)) return FALSE;
- if (cmsGetProfileVersion(hProfile) >= 4.0) {
+ if (cmsGetEncodedICCversion(hProfile) >= 0x4000000) {
if (!cmsWriteTag(hProfile, cmsSigProfileSequenceIdTag, seq)) return FALSE;
}
--- a/src/cmsplugin.c
+++ b/src/cmsplugin.c
@@ -932,8 +932,8 @@
// Search for previous
for (prev = _cmsContextPoolHead;
- prev != NULL;
- prev = prev ->Next)
+ prev != NULL;
+ prev = prev ->Next)
{
if (prev -> Next == ctx) {
prev -> Next = ctx ->Next;
--- a/src/cmsvirt.c
+++ b/src/cmsvirt.c
@@ -642,7 +642,7 @@
// Create the ICC virtual profile for sRGB space
cmsHPROFILE CMSEXPORT cmsCreate_sRGBProfileTHR(cmsContext ContextID)
{
- cmsCIExyY D65;
+ cmsCIExyY D65 = { 0.3127, 0.3290, 1.0 };
cmsCIExyYTRIPLE Rec709Primaries = {
{0.6400, 0.3300, 1.0},
{0.3000, 0.6000, 1.0},
|
