Fix cmsStageAllocMatrix parameter swap

For cmsStageAllocMatrix, InputChans is length of Matrix, OutputChans is length of Offsets. The original code will allocate NewElem->Offset with length Cols=InputChans (cmslut.c:417). This results in heap buffer overflow later.
author: Kuang-che Wu <kcwu@google.com> 2016-10-05 10:06:29 +0800
committer: Kuang-che Wu <kcwu@google.com> 2016-10-17 21:17:39 +0800
commit: 9896f74051c1f3658ed2fdf43181acee6b5ba221 (patch)
tree: b5544e6c47f3a1e0e838e7f7b85f01de8ed0b2c7 /src/cmslut.c
parent: 892b758d2f3709e4c30f1ed53bb623275d7f0c3a (diff)
download: lcms2-9896f74051c1f3658ed2fdf43181acee6b5ba221.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/src/cmslut.c b/src/cmslut.c
index df3dfc1..0a13018 100644
--- a/src/cmslut.c
+++ b/src/cmslut.c
@@ -414,13 +414,13 @@ cmsStage*  CMSEXPORT cmsStageAllocMatrix(cmsContext ContextID, cmsUInt32Number R
 
     if (Offset != NULL) {
 
-        NewElem ->Offset = (cmsFloat64Number*) _cmsCalloc(ContextID, Cols, sizeof(cmsFloat64Number));
+        NewElem ->Offset = (cmsFloat64Number*) _cmsCalloc(ContextID, Rows, sizeof(cmsFloat64Number));
         if (NewElem->Offset == NULL) {
            MatrixElemTypeFree(NewMPE);
            return NULL;
         }
 
-        for (i=0; i < Cols; i++) {
+        for (i=0; i < Rows; i++) {
                 NewElem ->Offset[i] = Offset[i];
         }
author	Kuang-che Wu <kcwu@google.com>	2016-10-05 10:06:29 +0800
committer	Kuang-che Wu <kcwu@google.com>	2016-10-17 21:17:39 +0800
commit	9896f74051c1f3658ed2fdf43181acee6b5ba221 (patch)
tree	b5544e6c47f3a1e0e838e7f7b85f01de8ed0b2c7 /src/cmslut.c
parent	892b758d2f3709e4c30f1ed53bb623275d7f0c3a (diff)
download	lcms2-9896f74051c1f3658ed2fdf43181acee6b5ba221.tar.gz