diff options
| -rw-r--r-- | third_party/qcms/README.chromium | 2 | ||||
| -rw-r--r-- | third_party/qcms/google.patch | 36 | ||||
| -rw-r--r-- | third_party/qcms/src/iccread.c | 2 | ||||
| -rw-r--r-- | third_party/qcms/src/transform_util.c | 20 |
4 files changed, 58 insertions, 2 deletions
diff --git a/third_party/qcms/README.chromium b/third_party/qcms/README.chromium index 7043ed0..761820c 100644 --- a/third_party/qcms/README.chromium +++ b/third_party/qcms/README.chromium @@ -21,3 +21,5 @@ google.patch (https://bugzilla.mozilla.org/show_bug.cgi?id=692922) Applied upstream patch: - https://bug752254.bugzilla.mozilla.org/attachment.cgi?id=626102 +Applied upstream security patch: + - https://bugzilla.mozilla.org/show_bug.cgi?id=761014 diff --git a/third_party/qcms/google.patch b/third_party/qcms/google.patch index dae75d6..63ca8f2 100644 --- a/third_party/qcms/google.patch +++ b/third_party/qcms/google.patch @@ -696,3 +696,39 @@ index 9a6562b..ae3f628 100644 } qcms_bool qcms_supports_iccv4; +--- a/transform_util.c ++++ a/transform_util.c +@@ -214,6 +214,21 @@ float u8Fixed8Number_to_float(uint16_t x) + return x/256.; + } + ++/* The SSE2 code uses min & max which let NaNs pass through. ++ We want to try to prevent that here by ensuring that ++ gamma table is within expected values. */ ++void validate_gamma_table(float gamma_table[256]) ++{ ++ int i; ++ for (i = 0; i < 256; i++) { ++ // Note: we check that the gamma is not in range ++ // instead of out of range so that we catch NaNs ++ if (!(gamma_table[i] > 0.f && gamma_table[i] < 1.f)) { ++ gamma_table[i] = 0.f; ++ } ++ } ++} ++ + float *build_input_gamma_table(struct curveType *TRC) + { + float *gamma_table; +@@ -233,7 +248,10 @@ float *build_input_gamma_table(struct curveType *TRC) + } + } + } +- return gamma_table; ++ ++ validate_gamma_table(gamma_table); ++ ++ return gamma_table; + } + + struct matrix build_colorant_matrix(qcms_profile *p) diff --git a/third_party/qcms/src/iccread.c b/third_party/qcms/src/iccread.c index 2454924..0523846 100644 --- a/third_party/qcms/src/iccread.c +++ b/third_party/qcms/src/iccread.c @@ -266,7 +266,7 @@ qcms_bool qcms_profile_is_bogus(qcms_profile *profile) if (profile->color_space != RGB_SIGNATURE) return false; - if (profile->A2B0 || profile->B2A0) + if (qcms_supports_iccv4 && (profile->A2B0 || profile->B2A0)) return false; rX = s15Fixed16Number_to_float(profile->redColorant.X); diff --git a/third_party/qcms/src/transform_util.c b/third_party/qcms/src/transform_util.c index e8447e5..5443e9d 100644 --- a/third_party/qcms/src/transform_util.c +++ b/third_party/qcms/src/transform_util.c @@ -235,6 +235,21 @@ float u8Fixed8Number_to_float(uint16_t x) return x/256.; } +/* The SSE2 code uses min & max which let NaNs pass through. + We want to try to prevent that here by ensuring that + gamma table is within expected values. */ +void validate_gamma_table(float gamma_table[256]) +{ + int i; + for (i = 0; i < 256; i++) { + // Note: we check that the gamma is not in range + // instead of out of range so that we catch NaNs + if (!(gamma_table[i] > 0.f && gamma_table[i] < 1.f)) { + gamma_table[i] = 0.f; + } + } +} + float *build_input_gamma_table(struct curveType *TRC) { float *gamma_table; @@ -254,7 +269,10 @@ float *build_input_gamma_table(struct curveType *TRC) } } } - return gamma_table; + + validate_gamma_table(gamma_table); + + return gamma_table; } struct matrix build_colorant_matrix(qcms_profile *p) |