----- Original Message -----
Sent: Monday, February 02, 2004 1:14
AM
Subject: [Lcms-user] Bug in LittleCMS
1.12, cmsio1.c
Marti,
I just found a bug in one of the modules in
Version 1.12 of LittleCMS. In cmsio1.c, in the function ReadEmbeddedTextTag()
you have a variable called "Dummy" that's typed as a icUInt8Number, but a few
lines down from the declaration it's being read as a icUInt16Number, causing a
stack corruption. Here's a code snippet, with correction:
static
int
ReadEmbeddedTextTag(LPLCMSICCPROFILE Icc, size_t size, char*
Name)
{
icTagBase Base;
Icc
->Read(&Base, sizeof(icTagBase), 1, Icc -> stream);
size -=
sizeof(icTagBase);
AdjustEndianess32((LPBYTE)
&Base.sig);
switch (Base.sig) {
case icSigTextDescriptionType:
{
icUInt32Number
AsciiCount;
icUInt32Number i, UnicodeCode, UnicodeCount;
icUInt16Number
ScriptCodeCode;
#if 0
// @@ FOUND BUG: "Dummy" typed as
8 bit int, but being read as 16 bit
int
.
icUInt8Number Dummy, ScriptCodeCount;
#else
icUInt16Number Dummy;
icUInt8Number
ScriptCodeCount;
#endif
Icc
->Read(&AsciiCount, sizeof(icUInt32Number), 1, Icc ->
stream);
size -=
sizeof(icUInt32Number);
AdjustEndianess32((LPBYTE) &AsciiCount);
Icc ->Read(Name, 1, AsciiCount, Icc
-> stream);
size -= AsciiCount;
// Skip
Unicode code
Icc ->Read(&UnicodeCode, sizeof(icUInt32Number), 1, Icc ->
stream);
size -=
sizeof(icUInt32Number);
Icc ->Read(&UnicodeCount, sizeof(icUInt32Number), 1, Icc ->
stream);
size -=
sizeof(icUInt32Number);
AdjustEndianess32((LPBYTE) &UnicodeCount);
if (UnicodeCount > size) return size;
for (i=0; i < UnicodeCount; i++)
Icc ->Read(&Dummy, sizeof(icUInt16Number), 1, Icc ->
stream); // <---- RIGHT HERE: Dummy being
read as 16 bit int
Just thought you'd like to know about this bug in case you haven't
encountered it already.
Bryan
