lcms2: Out-of-bounds read in Type_MLU_Read() (rhbz#1367357)

Change-Id: I9c5a442125476412435ebefea29ad1b166faab8a
(cherry picked from commit da7d3f708d0619fdb17128ffbaa430becb79121f)
Reviewed-on: https://gerrit.libreoffice.org/28552
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>

2 files changed, 26 insertions, 0 deletions

diff --git a/external/lcms2/0001-Added-an-extra-check-to-MLU-bounds.patch.1 b/external/lcms2/0001-Added-an-extra-check-to-MLU-bounds.patch.1
new file mode 100644
index 000000000000..913f82887cb2
--- /dev/null
+++ b/external/lcms2/0001-Added-an-extra-check-to-MLU-bounds.patch.1
@@ -0,0 +1,25 @@
+From 5ca71a7bc18b6897ab21d815d15e218e204581e2 Mon Sep 17 00:00:00 2001
+From: Marti <marti.maria@tktbrainpower.com>
+Date: Mon, 15 Aug 2016 23:31:39 +0200
+Subject: [PATCH] Added an extra check to MLU bounds
+
+Thanks to Ibrahim el-sayed for spotting the bug
+---
+ src/cmstypes.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/cmstypes.c b/src/cmstypes.c
+index cb61860..c7328b9 100644
+--- a/src/cmstypes.c
++++ b/src/cmstypes.c
+@@ -1460,6 +1460,7 @@ void *Type_MLU_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU
+ 
+         // Check for overflow
+         if (Offset < (SizeOfHeader + 8)) goto Error;
++        if ((Offset + Len) > SizeOfTag + 8) goto Error;
+ 
+         // True begin of the string
+         BeginOfThisString = Offset - SizeOfHeader - 8;
+-- 
+2.7.4
+
diff --git a/external/lcms2/UnpackedTarball_lcms2.mk b/external/lcms2/UnpackedTarball_lcms2.mk
index 6490110fe6cb..db229340ea12 100644
--- a/external/lcms2/UnpackedTarball_lcms2.mk
+++ b/external/lcms2/UnpackedTarball_lcms2.mk
@@ -19,6 +19,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,lcms2,\
 	external/lcms2/lcms2-vc2013-project.patch \
 	external/lcms2/lcms2-config-guess.patch.0 \
 	external/lcms2/ubsan.patch.0 \
+	external/lcms2/0001-Added-an-extra-check-to-MLU-bounds.patch.1 \
 ))
 
 # vim: set noet sw=4 ts=4: