fix possible out-ob-bounds read

Thanks to tsdgeos for finding the bug
author: Marti Maria <marti.maria@littlecms.com> 2021-01-05 10:35:29 +0100
committer: Marti Maria <marti.maria@littlecms.com> 2021-01-05 10:35:29 +0100
commit: 99ae7d450dea3d15e2cd4ba32a15bf8547f026cb (patch)
tree: 638c297d3fbbeec7ea780c608ea44dc5ccd2a5cc
parent: 1b3e32f55b42294ab6eebe058e83312c2ab67c4d (diff)
download: lcms2-99ae7d450dea3d15e2cd4ba32a15bf8547f026cb.tar.gz
1 files changed, 4 insertions, 3 deletions
diff --git a/src/cmsps2.c b/src/cmsps2.c
index b8e9fe4..068f0ce 100644
--- a/src/cmsps2.c
+++ b/src/cmsps2.c
@@ -529,9 +529,10 @@ void Emit1Gamma(cmsIOHANDLER* m, cmsToneCurve* Table, const char* name)
 // Compare gamma table
 
 static
-cmsBool GammaTableEquals(cmsUInt16Number* g1, cmsUInt16Number* g2, cmsUInt32Number nEntries)
+cmsBool GammaTableEquals(cmsUInt16Number* g1, cmsUInt16Number* g2, cmsUInt32Number nG1, cmsUInt32Number nG2)
 {
-    return memcmp(g1, g2, nEntries* sizeof(cmsUInt16Number)) == 0;
+    if (nG1 != nG2) return FALSE;
+    return memcmp(g1, g2, nG1 * sizeof(cmsUInt16Number)) == 0;
 }
 
 
@@ -547,7 +548,7 @@ void EmitNGamma(cmsIOHANDLER* m, cmsUInt32Number n, cmsToneCurve* g[], const cha
     {
         if (g[i] == NULL) return; // Error
 
-        if (i > 0 && GammaTableEquals(g[i-1]->Table16, g[i]->Table16, g[i]->nEntries)) {
+        if (i > 0 && GammaTableEquals(g[i-1]->Table16, g[i]->Table16, g[i-1]->nEntries, g[i]->nEntries)) {
 
             _cmsIOPrintf(m, "/%s%d /%s%d load def\n", nameprefix, i, nameprefix, i-1);
         }
author	Marti Maria <marti.maria@littlecms.com>	2021-01-05 10:35:29 +0100
committer	Marti Maria <marti.maria@littlecms.com>	2021-01-05 10:35:29 +0100
commit	99ae7d450dea3d15e2cd4ba32a15bf8547f026cb (patch)
tree	638c297d3fbbeec7ea780c608ea44dc5ccd2a5cc
parent	1b3e32f55b42294ab6eebe058e83312c2ab67c4d (diff)
download	lcms2-99ae7d450dea3d15e2cd4ba32a15bf8547f026cb.tar.gz