Bug 1166252 - Reject lut8/16Type with empty CLUT grid. r=jrmuizel, a=sledru
authorBenoit Girard <b56girard@gmail.com>
Tue, 25 Aug 2015 15:48:55 -0400
changeset 289048 e3cc78bb5f7316a3066a815e8262a1193e67e0b2
parent 289047 cb6d298f3fe72fc1b470a4d03040f14acfd86fb0
child 289049 a8b96fe39d92f422cc5491e993955c430ce29329
push id5067
push userraliiev@mozilla.com
push dateMon, 21 Sep 2015 14:04:52 +0000
treeherdermozilla-beta@14221ffe5b2f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjrmuizel, sledru
bugs1166252
milestone42.0a2
Bug 1166252 - Reject lut8/16Type with empty CLUT grid. r=jrmuizel, a=sledru
gfx/qcms/chain.c
gfx/qcms/iccread.c
--- a/gfx/qcms/chain.c
+++ b/gfx/qcms/chain.c
@@ -129,16 +129,18 @@ static void qcms_transform_module_clut_o
 	int xy_len = 1;
 	int x_len = transform->grid_size;
 	int len = x_len * x_len;
 	float* r_table = transform->r_clut;
 	float* g_table = transform->g_clut;
 	float* b_table = transform->b_clut;
 
 	for (i = 0; i < length; i++) {
+		assert(transform->grid_size >= 1);
+
 		float linear_r = *src++;
 		float linear_g = *src++;
 		float linear_b = *src++;
 
 		int x = floorf(linear_r * (transform->grid_size-1));
 		int y = floorf(linear_g * (transform->grid_size-1));
 		int z = floorf(linear_b * (transform->grid_size-1));
 		int x_n = ceilf(linear_r * (transform->grid_size-1));
@@ -183,16 +185,18 @@ static void qcms_transform_module_clut(s
 	size_t i;
 	int xy_len = 1;
 	int x_len = transform->grid_size;
 	int len = x_len * x_len;
 	float* r_table = transform->r_clut;
 	float* g_table = transform->g_clut;
 	float* b_table = transform->b_clut;
 	for (i = 0; i < length; i++) {
+		assert(transform->grid_size >= 1);
+
 		float device_r = *src++;
 		float device_g = *src++;
 		float device_b = *src++;
 		float linear_r = lut_interp_linear_float(device_r,
 				transform->input_clut_table_r, transform->input_clut_table_length);
 		float linear_g = lut_interp_linear_float(device_g,
 				transform->input_clut_table_g, transform->input_clut_table_length);
 		float linear_b = lut_interp_linear_float(device_b,
--- a/gfx/qcms/iccread.c
+++ b/gfx/qcms/iccread.c
@@ -710,16 +710,21 @@ static struct lutType *read_tag_lutType(
 	grid_points = read_u8(src, offset + 10);
 
 	clut_size = pow(grid_points, in_chan);
 	if (clut_size > MAX_CLUT_SIZE) {
 		invalid_source(src, "CLUT too large");
 		return NULL;
 	}
 
+	if (clut_size <= 0) {
+		invalid_source(src, "CLUT must not be empty.");
+		return NULL;
+	}
+
 	if (in_chan != 3 || out_chan != 3) {
 		invalid_source(src, "CLUT only supports RGB");
 		return NULL;
 	}
 
 	lut = malloc(sizeof(struct lutType) + (num_input_table_entries * in_chan + clut_size*out_chan + num_output_table_entries * out_chan)*sizeof(float));
 	if (!lut) {
 		invalid_source(src, "CLUT too large");