1 diff --git a/third_party/lcms/src/cmstypes.c b/third_party/lcms/src/cmstypes.c 2 index 75f1fae32..4d96a1ed6 100644 3 --- a/third_party/lcms/src/cmstypes.c 4 +++ b/third_party/lcms/src/cmstypes.c 5 @@ -173,6 +173,12 @@ cmsBool ReadPositionTable(struct _cms_typehandler_struct* self, 6 { 7 cmsUInt32Number i; 8 cmsUInt32Number *ElementOffsets = NULL, *ElementSizes = NULL; 9 + cmsUInt32Number currentPosition; 10 + 11 + currentPosition = io->Tell(io); 12 + // Verify there is enough space left to read two cmsUInt32Number items for Count items. 13 + if (((io->ReportedSize - currentPosition) / (2 * sizeof(cmsUInt32Number))) < Count) 14 + return FALSE; 15 16 // Let's take the offsets to each element 17 ElementOffsets = (cmsUInt32Number *) _cmsCalloc(io ->ContextID, Count, sizeof(cmsUInt32Number)); 18
