• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1diff --git a/third_party/lcms/src/cmscgats.c b/third_party/lcms/src/cmscgats.c
2index 5720c66a7..cce4cedba 100644
3--- a/third_party/lcms/src/cmscgats.c
4+++ b/third_party/lcms/src/cmscgats.c
5@@ -150,23 +150,24 @@ typedef struct {
6         SUBALLOCATOR   Allocator;             // String suballocator -- just to keep it fast
7
8         // Parser state machine
9-        SYMBOL         sy;                    // Current symbol
10-        int            ch;                    // Current character
11+        SYMBOL             sy;                // Current symbol
12+        int                ch;                // Current character
13+
14+        cmsInt32Number     inum;              // integer value
15+        cmsFloat64Number   dnum;              // real value
16
17-        int            inum;                  // integer value
18-        cmsFloat64Number         dnum;                  // real value
19         char           id[MAXID];             // identifier
20         char           str[MAXSTR];           // string
21
22         // Allowed keywords & datasets. They have visibility on whole stream
23-        KEYVALUE*     ValidKeywords;
24-        KEYVALUE*     ValidSampleID;
25+        KEYVALUE*      ValidKeywords;
26+        KEYVALUE*      ValidSampleID;
27
28         char*          Source;                // Points to loc. being parsed
29-        int            lineno;                // line counter for error reporting
30+        cmsInt32Number lineno;                // line counter for error reporting
31
32         FILECTX*       FileStack[MAXINCLUDE]; // Stack of files being parsed
33-        int            IncludeSP;             // Include Stack Pointer
34+        cmsInt32Number IncludeSP;             // Include Stack Pointer
35
36         char*          MemoryBlock;           // The stream if holded in memory
37
38@@ -568,8 +569,8 @@ void ReadReal(cmsIT8* it8, int inum)
39     // Exponent, example 34.00E+20
40     if (toupper(it8->ch) == 'E') {
41
42-        int e;
43-        int sgn;
44+        cmsInt32Number e;
45+        cmsInt32Number sgn;
46
47         NextCh(it8); sgn = 1;
48
49@@ -587,7 +588,7 @@ void ReadReal(cmsIT8* it8, int inum)
50             e = 0;
51             while (isdigit(it8->ch)) {
52
53-                if ((cmsFloat64Number) e * 10L < INT_MAX)
54+                if ((cmsFloat64Number) e * 10L < (cmsFloat64Number) +2147483647.0)
55                     e = e * 10 + (it8->ch - '0');
56
57                 NextCh(it8);
58@@ -777,7 +778,7 @@ void InSymbol(cmsIT8* it8)
59
60                 while (isdigit(it8->ch)) {
61
62-                    if ((long) it8->inum * 10L > (long) INT_MAX) {
63+                    if ((cmsFloat64Number) it8->inum * 10L > (cmsFloat64Number) +2147483647.0) {
64                         ReadReal(it8, it8->inum);
65                         it8->sy = SDNUM;
66                         it8->dnum *= sign;
67diff --git a/third_party/lcms/src/cmstypes.c b/third_party/lcms/src/cmstypes.c
68index 0256e247b..75f1fae32 100644
69--- a/third_party/lcms/src/cmstypes.c
70+++ b/third_party/lcms/src/cmstypes.c
71@@ -4199,9 +4199,13 @@ void *Type_MPEmatrix_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io
72     if (!_cmsReadUInt16Number(io, &OutputChans)) return NULL;
73
74
75+    // Input and output chans may be ANY (up to 0xffff),
76+    // but we choose to limit to 16 channels for now
77+    if (InputChans >= cmsMAXCHANNELS) return NULL;
78+    if (OutputChans >= cmsMAXCHANNELS) return NULL;
79+
80     nElems = InputChans * OutputChans;
81
82-    // Input and output chans may be ANY (up to 0xffff)
83     Matrix = (cmsFloat64Number*) _cmsCalloc(self ->ContextID, nElems, sizeof(cmsFloat64Number));
84     if (Matrix == NULL) return NULL;
85
86