Closed Bug 1481855 Opened 7 years ago Closed 7 years ago

Acessing outside buffer range in different functions in qcms/transform_util.c

Categories

(Core :: Graphics: Color Management, defect)

Product:
Core
Component:
Graphics: Color Management
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: vhancharenka, Unassigned)

Details

Attachments

(2 files)

DELL P2715Q.icm.icc
1.26 MB, application/octet-stream
Details
qcms-test.zip
1.24 MB, application/x-zip-compressed
Details
Attached file DELL P2715Q.icm.icc
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3517.0 Safari/537.36 Steps to reproduce: Here is the program where there is access to item outside buffer: #include <fstream> #include <vector> #include <assert.h> extern "C" { #include "qcms/qcms.h" #include "qcms/chain.h" #include "adobe-rgb.h" } int main() { qcms_enable_iccv4(); float src1[] = { 0.0, 1.0, 0.0 }; float dst1[] = { 0.0, 1.0, 0.0 }; const float* lut1 = NULL; std::ifstream profileFile("C:\\DELL P2715Q.icm.icc", std::ios::binary); std::vector<char> profileData((std::istreambuf_iterator<char>(profileFile)), std::istreambuf_iterator<char>()); qcms_profile* in = qcms_profile_from_memory(kIccAdobeRGB, kIccAdobeRGBLength); qcms_profile* out = qcms_profile_from_memory(profileData.data(), profileData.size()); lut1 = qcms_chain_transform(in, out, src1, dst1, sizeof(src1) / sizeof(*src1)); if (lut1) { assert(lut1); } return 0; } Color profile DELL P2715Q.icm.icc is attached. This happens because function qcms_transform_module_LAB_to_XYZ returns negative value in *dest what is not correct. After that this value goes to function qcms_transform_module_gamma_table which calls function lut_interp_linear_float where the access outside buffer is performed. As I understand, these functions accessing to table must be fixed to clamp upper and lower indexes between values 0 and length-1: lut_interp_linear lut_interp_linear16 lut_interp_linear_precache_output lut_interp_linear_float Actual results: Access outside buffer range happens (index value is less than 0) Expected results: Index values should be clamped between [0, length-1] in these functions: lut_interp_linear lut_interp_linear16 lut_interp_linear_precache_output lut_interp_linear_float
Attached file qcms-test.zip
Full project is attached
The function returning negative value is not qcms_transform_module_LAB_to_XYZ but qcms_transform_module_XYZ_to_LAB. Sorry for mistake.
You're using qcms incorrectly. An example at how to use it is below. https://dxr.mozilla.org/mozilla-central/source/gfx/tests/gtest/TestQcms.cpp#32
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: