One of our customers found a bug in lcms 1.15 (used in the product CentraDoc: http://lib-sys.com). They are "fuzzing" pdf input files to test robustness.
When MemoryRead signals an error it fell through to the CopyMemory which caused ugly "undefined behavior". This particular glitch is fixed in the latest cms (1.17) (actually cmsio0.c 1.5 7/2006 on source forge) The MemoryRead was called from ReadBase. I've noticed that even the latest ReadBase (cmsio1.c) doesn't check the return value from Icc->Read, so the Base value returned could be arbitrary, which could lead to more "undefined behavior"; even if it is unlikely to match a valid base, it could... Base should be initialized, probably to 0 or icMaxEnumData, whichever makes more sense. There are still some unchecked reads in cmsio1.c, and some look potentially troublesome, for example in cmsReadProfileSequenceDescription, which could allocate arbitrary amounts of memory. There are some strcpy/strcat/strncpy calls lying about as well, although I'm not sure yet if there are real holes there, it would be better to replace those calls, even if they are checked correctly. I'm considering using setjmp/longjmp in the UserErrorHandler to avoid any more failures in the error unwinding, although that doesn't help for undetected errors. This is all just FYI, but I'll post again if I come up with any conclusions or patches. d ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Lcms-user mailing list Lcms-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lcms-user
