|
Marti,
I just found a bug in one of the modules in Version
1.12 of LittleCMS. In cmsio1.c, in the function ReadEmbeddedTextTag() you have a
variable called "Dummy" that's typed as a icUInt8Number, but a few lines down
from the declaration it's being read as a icUInt16Number, causing a stack
corruption. Here's a code snippet, with correction:
static
int
ReadEmbeddedTextTag(LPLCMSICCPROFILE Icc, size_t size, char* Name)
{
icTagBase Base;
Icc ->Read(&Base, sizeof(icTagBase), 1, Icc ->
stream);
size -= sizeof(icTagBase);
AdjustEndianess32((LPBYTE) &Base.sig);
switch (Base.sig) {
case icSigTextDescriptionType:
{
icUInt32Number
AsciiCount;
icUInt32Number i, UnicodeCode, UnicodeCount;
icUInt16Number
ScriptCodeCode;
#if 0
// @@ FOUND BUG: "Dummy" typed as 8
bit int, but being read as 16 bit
int
.
icUInt8Number Dummy, ScriptCodeCount;
#else
icUInt16Number Dummy;
icUInt8Number
ScriptCodeCount;
#endif
Icc
->Read(&AsciiCount, sizeof(icUInt32Number), 1, Icc -> stream);
size -= sizeof(icUInt32Number);
AdjustEndianess32((LPBYTE) &AsciiCount);
Icc ->Read(Name, 1, AsciiCount, Icc
-> stream);
size
-= AsciiCount;
// Skip Unicode code
Icc
->Read(&UnicodeCode, sizeof(icUInt32Number), 1, Icc -> stream);
size -= sizeof(icUInt32Number);
Icc ->Read(&UnicodeCount,
sizeof(icUInt32Number), 1,
Icc -> stream);
size -= sizeof(icUInt32Number);
AdjustEndianess32((LPBYTE) &UnicodeCount);
if (UnicodeCount > size) return size;
for (i=0; i < UnicodeCount; i++)
Icc ->Read(&Dummy, sizeof(icUInt16Number), 1, Icc ->
stream); // <---- RIGHT HERE: Dummy being
read as 16 bit int
Just thought you'd like to know about this bug in case you haven't
encountered it already.
Bryan
|
