applied upstream security patch

BUG=b/6534265
TEST=None


Review URL: https://chromiumcodereview.appspot.com/10515013

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@140415 0039d316-1c4b-4281-b951-d872f2087c98

4 files changed, 58 insertions, 2 deletions

diff --git a/third_party/qcms/README.chromium b/third_party/qcms/README.chromium
index 7043ed0..761820c 100644
--- a/third_party/qcms/README.chromium
+++ b/third_party/qcms/README.chromium
@@ -21,3 +21,5 @@ google.patch
    (https://bugzilla.mozilla.org/show_bug.cgi?id=692922)
 Applied upstream patch:
  - https://bug752254.bugzilla.mozilla.org/attachment.cgi?id=626102
+Applied upstream security patch:
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=761014
diff --git a/third_party/qcms/google.patch b/third_party/qcms/google.patch
index dae75d6..63ca8f2 100644
--- a/third_party/qcms/google.patch
+++ b/third_party/qcms/google.patch
@@ -696,3 +696,39 @@ index 9a6562b..ae3f628 100644
  }
  
  qcms_bool qcms_supports_iccv4;
+--- a/transform_util.c	
++++ a/transform_util.c	
+@@ -214,6 +214,21 @@ float u8Fixed8Number_to_float(uint16_t x)
+ 	return x/256.;
+ }
+ 
++/* The SSE2 code uses min & max which let NaNs pass through.
++   We want to try to prevent that here by ensuring that
++   gamma table is within expected values. */
++void validate_gamma_table(float gamma_table[256])
++{
++	int i;
++	for (i = 0; i < 256; i++) {
++		// Note: we check that the gamma is not in range
++		// instead of out of range so that we catch NaNs
++		if (!(gamma_table[i] > 0.f && gamma_table[i] < 1.f)) {
++			gamma_table[i] = 0.f;
++		}
++	}
++}
++
+ float *build_input_gamma_table(struct curveType *TRC)
+ {
+ 	float *gamma_table;
+@@ -233,7 +248,10 @@ float *build_input_gamma_table(struct curveType *TRC)
+ 			}
+ 		}
+ 	}
+-        return gamma_table;
++
++	validate_gamma_table(gamma_table);
++
++	return gamma_table;
+ }
+ 
+ struct matrix build_colorant_matrix(qcms_profile *p)
diff --git a/third_party/qcms/src/iccread.c b/third_party/qcms/src/iccread.c
index 2454924..0523846 100644
--- a/third_party/qcms/src/iccread.c
+++ b/third_party/qcms/src/iccread.c
@@ -266,7 +266,7 @@ qcms_bool qcms_profile_is_bogus(qcms_profile *profile)
        if (profile->color_space != RGB_SIGNATURE)
 	       return false;
 
-       if (profile->A2B0 || profile->B2A0)
+       if (qcms_supports_iccv4 && (profile->A2B0 || profile->B2A0))
                return false;
 
        rX = s15Fixed16Number_to_float(profile->redColorant.X);
diff --git a/third_party/qcms/src/transform_util.c b/third_party/qcms/src/transform_util.c
index e8447e5..5443e9d 100644
--- a/third_party/qcms/src/transform_util.c
+++ b/third_party/qcms/src/transform_util.c
@@ -235,6 +235,21 @@ float u8Fixed8Number_to_float(uint16_t x)
 	return x/256.;
 }
 
+/* The SSE2 code uses min & max which let NaNs pass through.
+   We want to try to prevent that here by ensuring that
+   gamma table is within expected values. */
+void validate_gamma_table(float gamma_table[256])
+{
+	int i;
+	for (i = 0; i < 256; i++) {
+		// Note: we check that the gamma is not in range
+		// instead of out of range so that we catch NaNs
+		if (!(gamma_table[i] > 0.f && gamma_table[i] < 1.f)) {
+			gamma_table[i] = 0.f;
+		}
+	}
+}
+
 float *build_input_gamma_table(struct curveType *TRC)
 {
 	float *gamma_table;
@@ -254,7 +269,10 @@ float *build_input_gamma_table(struct curveType *TRC)
 			}
 		}
 	}
-        return gamma_table;
+
+	validate_gamma_table(gamma_table);
+
+	return gamma_table;
 }
 
 struct matrix build_colorant_matrix(qcms_profile *p)