diff options
| author | Marti Maria <marti.maria@littlecms.com> | 2022-07-25 11:58:06 +0300 |
|---|---|---|
| committer | Marti Maria <marti.maria@littlecms.com> | 2022-07-25 11:58:06 +0300 |
| commit | 77758b7f815f4ced91e088ce855b31c90ad0a406 (patch) | |
| tree | e5a621512fb78b7192147955522356d64d0d7791 | |
| parent | 3d3001f0118984570a162d0b239d739529920e12 (diff) | |
sanitize linked tags
Prevent a rare way to currupt profiles that could potentially cause vulnerability issues
| -rw-r--r-- | src/cmsio0.c | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/src/cmsio0.c b/src/cmsio0.c index 1e9b8a9..f02d240 100644 --- a/src/cmsio0.c +++ b/src/cmsio0.c @@ -689,6 +689,27 @@ cmsBool CMSEXPORT cmsIsTag(cmsHPROFILE hProfile, cmsTagSignature sig) return _cmsSearchTag(Icc, sig, FALSE) >= 0; } + + +// Checks for link compatibility +static +cmsBool CompatibleTypes(const cmsTagDescriptor* desc1, const cmsTagDescriptor* desc2) +{ + cmsUInt32Number i; + + if (desc1 == NULL || desc2 == NULL) return FALSE; + + if (desc1->nSupportedTypes != desc2->nSupportedTypes) return FALSE; + if (desc1->ElemCount != desc2->ElemCount) return FALSE; + + for (i = 0; i < desc1->nSupportedTypes; i++) + { + if (desc1->SupportedTypes[i] != desc2->SupportedTypes[i]) return FALSE; + } + + return TRUE; +} + // Enforces that the profile version is per. spec. // Operates on the big endian bytes from the profile. // Called before converting to platform endianness. @@ -798,7 +819,12 @@ cmsBool _cmsReadHeader(_cmsICCPROFILE* Icc) if ((Icc ->TagOffsets[j] == Tag.offset) && (Icc ->TagSizes[j] == Tag.size)) { - Icc ->TagLinked[Icc ->TagCount] = Icc ->TagNames[j]; + // Check types. Abort whole profile if a forged link is found + if (CompatibleTypes(_cmsGetTagDescriptor(Icc->ContextID, Icc->TagNames[j]), + _cmsGetTagDescriptor(Icc->ContextID, Tag.sig))) { + + Icc->TagLinked[Icc->TagCount] = Icc->TagNames[j]; + } } } |