search

mm2 / Little-CMS

A free, open source, CMM engine. It provides fast transforms between ICC profiles.
https://www.littlecms.com
MIT License
572 stars 176 forks source link

A possible overflow in cmsBuildTabulatedToneCurveFloat #351

Closed hopper-vul closed 1 year ago

hopper-vul commented 1 year ago

Hi, we found a possible overflow in cmsBuildTabulatedToneCurveFloat when fuzzing.

As described in doc, for using the API cmsBuildTabulatedToneCurveFloat, the parameter nEntries should be the number of sample points. However, if the passed nEntries is zero, an unintended overflow will happen in cmsBuildTabulatedToneCurveFloat, caused by the following code: 

   Seg[2].Params[3] = values[nEntries-1];

Maybe it is good to ensure nEntries is greater than zero in cmsBuildTabulatedToneCurveFloat or tell people in doc that nEntries should be greater than zero.

Thanks for your time.

mm2 commented 1 year ago

Fixed, thank you for reporting!

mm2 commented 1 year ago

Fixed in 37eddd2d8787dbc5d707044cab0762bfc879fb3e