Perform boundary checks before parsing iccData

Bug: 317782344 Test: ultrahdr_app -m 1 -j ./poc
author: Ram Mohan <ram.mohan@ittiam.com> 2023-12-27 11:36:02 +0530
committer: Ram Mohan M <ram.mohan@ittiam.com> 2024-01-01 20:09:01 +0530
commit: 683ff97c81c9db533095435b032acf50255f39f3 (patch)
tree: b854e56617055242cdd77f7b0625c7506472d638 /lib
parent: d72d3a69ed6209886bd217fce0b19084c6497f49 (diff)
download: libultrahdr-683ff97c81c9db533095435b032acf50255f39f3.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/lib/src/icc.cpp b/lib/src/icc.cpp
index b838660..0b4b341 100644
--- a/lib/src/icc.cpp
+++ b/lib/src/icc.cpp
@@ -633,6 +633,13 @@ ultrahdr_color_gamut IccHelper::readIccColorGamut(void* icc_data, size_t icc_siz
   size_t red_primary_offset = 0, green_primary_offset = 0, blue_primary_offset = 0;
   size_t red_primary_size = 0, green_primary_size = 0, blue_primary_size = 0;
   for (size_t tag_idx = 0; tag_idx < Endian_SwapBE32(header->tag_count); ++tag_idx) {
+    if (icc_size < kICCIdentifierSize + sizeof(ICCHeader) + ((tag_idx + 1) * kTagTableEntrySize)) {
+      ALOGE(
+          "Insufficient buffer size during icc parsing. tag index %zu, header %zu, tag size %zu, "
+          "icc size %zu",
+          tag_idx, kICCIdentifierSize + sizeof(ICCHeader), kTagTableEntrySize, icc_size);
+      return ULTRAHDR_COLORGAMUT_UNSPECIFIED;
+    }
     uint32_t* tag_entry_start =
         reinterpret_cast<uint32_t*>(icc_bytes + sizeof(ICCHeader) + tag_idx * kTagTableEntrySize);
     // first 4 bytes are the tag signature, next 4 bytes are the tag offset,
author	Ram Mohan <ram.mohan@ittiam.com>	2023-12-27 11:36:02 +0530
committer	Ram Mohan M <ram.mohan@ittiam.com>	2024-01-01 20:09:01 +0530
commit	683ff97c81c9db533095435b032acf50255f39f3 (patch)
tree	b854e56617055242cdd77f7b0625c7506472d638 /lib
parent	d72d3a69ed6209886bd217fce0b19084c6497f49 (diff)
download	libultrahdr-683ff97c81c9db533095435b032acf50255f39f3.tar.gz