lcms2: Out-of-bounds read in Type_MLU_Read() (#1367357)

0001-Added-an-extra-check-to-MLU-bounds.patch

@@ -0,0 +1,25 @@
+From 5ca71a7bc18b6897ab21d815d15e218e204581e2 Mon Sep 17 00:00:00 2001
+From: Marti <marti.maria@tktbrainpower.com>
+Date: Mon, 15 Aug 2016 23:31:39 +0200
+Subject: [PATCH] Added an extra check to MLU bounds
+
+Thanks to Ibrahim el-sayed for spotting the bug
+---
+ src/cmstypes.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/cmstypes.c b/src/cmstypes.c
+index cb61860..c7328b9 100644
+--- a/src/cmstypes.c
++++ b/src/cmstypes.c
+@@ -1460,6 +1460,7 @@ void *Type_MLU_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU
+ 
+         // Check for overflow
+         if (Offset < (SizeOfHeader + 8)) goto Error;
++        if ((Offset + Len) > SizeOfTag + 8) goto Error;
+ 
+         // True begin of the string
+         BeginOfThisString = Offset - SizeOfHeader - 8;
+-- 
+2.7.4
+

lcms2.spec

@@ -1,6 +1,6 @@
 Name:           lcms2
 Version:        2.8
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Color Management Engine
 Group:          System Environment/Libraries
 License:        MIT
@@ -8,6 +8,9 @@ URL:            http://www.littlecms.com/
 Source0:        http://www.littlecms.com/lcms2-%{version}.tar.gz
 BuildRoot:      %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
+## upstream patches
+Patch1: 0001-Added-an-extra-check-to-MLU-bounds.patch
+
 BuildRequires:  libjpeg-devel
 BuildRequires:  libtiff-devel
 BuildRequires:  zlib-devel
@@ -37,6 +40,8 @@ Development files for LittleCMS.
 %prep
 %setup -q
 
+%patch1 -p1 -b .0001
+
 %build
 %configure --disable-static --program-suffix=2
 
@@ -88,6 +93,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_libdir}/pkgconfig/lcms2.pc
 
 %changelog
+* Wed Aug 17 2016 Rex Dieter <rdieter@fedoraproject.org> - 2.8-2
+- lcms2: Out-of-bounds read in Type_MLU_Read() (#1367357)
+
 * Mon Jul 25 2016 Richard Hughes <richard@hughsie.com> - 2.8-1
 - Update to new upstream version.