Bug 1166252 - Reject lut8/16Type with empty CLUT grid. r=jrmuizel
authorBenoit Girard <b56girard@gmail.com>
Tue, 25 Aug 2015 15:48:55 -0400
changeset 259314 419ade49d346f41632f8ad4478edc2b1ecac5825
parent 259313 450d1f83b00197a99fe33c2802cfddb9d4fb7870
child 259315 5ab5948739525cf126978329045657dfbc1e30d1
push id29277
push userryanvm@gmail.com
push dateWed, 26 Aug 2015 18:32:23 +0000
treeherdermozilla-central@fea87cbeaa6b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjrmuizel
bugs1166252
milestone43.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1166252 - Reject lut8/16Type with empty CLUT grid. r=jrmuizel
gfx/qcms/chain.c
gfx/qcms/iccread.c
--- a/gfx/qcms/chain.c
+++ b/gfx/qcms/chain.c
@@ -129,16 +129,18 @@ static void qcms_transform_module_clut_o
 	int xy_len = 1;
 	int x_len = transform->grid_size;
 	int len = x_len * x_len;
 	float* r_table = transform->r_clut;
 	float* g_table = transform->g_clut;
 	float* b_table = transform->b_clut;
 
 	for (i = 0; i < length; i++) {
+		assert(transform->grid_size >= 1);
+
 		float linear_r = *src++;
 		float linear_g = *src++;
 		float linear_b = *src++;
 
 		int x = floorf(linear_r * (transform->grid_size-1));
 		int y = floorf(linear_g * (transform->grid_size-1));
 		int z = floorf(linear_b * (transform->grid_size-1));
 		int x_n = ceilf(linear_r * (transform->grid_size-1));
@@ -183,16 +185,18 @@ static void qcms_transform_module_clut(s
 	size_t i;
 	int xy_len = 1;
 	int x_len = transform->grid_size;
 	int len = x_len * x_len;
 	float* r_table = transform->r_clut;
 	float* g_table = transform->g_clut;
 	float* b_table = transform->b_clut;
 	for (i = 0; i < length; i++) {
+		assert(transform->grid_size >= 1);
+
 		float device_r = *src++;
 		float device_g = *src++;
 		float device_b = *src++;
 		float linear_r = lut_interp_linear_float(device_r,
 				transform->input_clut_table_r, transform->input_clut_table_length);
 		float linear_g = lut_interp_linear_float(device_g,
 				transform->input_clut_table_g, transform->input_clut_table_length);
 		float linear_b = lut_interp_linear_float(device_b,
--- a/gfx/qcms/iccread.c
+++ b/gfx/qcms/iccread.c
@@ -710,16 +710,21 @@ static struct lutType *read_tag_lutType(
 	grid_points = read_u8(src, offset + 10);
 
 	clut_size = pow(grid_points, in_chan);
 	if (clut_size > MAX_CLUT_SIZE) {
 		invalid_source(src, "CLUT too large");
 		return NULL;
 	}
 
+	if (clut_size <= 0) {
+		invalid_source(src, "CLUT must not be empty.");
+		return NULL;
+	}
+
 	if (in_chan != 3 || out_chan != 3) {
 		invalid_source(src, "CLUT only supports RGB");
 		return NULL;
 	}
 
 	lut = malloc(sizeof(struct lutType) + (num_input_table_entries * in_chan + clut_size*out_chan + num_output_table_entries * out_chan)*sizeof(float));
 	if (!lut) {
 		invalid_source(src, "CLUT too large");