From 9896f74051c1f3658ed2fdf43181acee6b5ba221 Mon Sep 17 00:00:00 2001
From: Kuang-che Wu <kcwu@google.com>
Date: Wed, 5 Oct 2016 10:06:29 +0800
Subject: Fix cmsStageAllocMatrix parameter swap

For cmsStageAllocMatrix, InputChans is length of Matrix, OutputChans is
length of Offsets. The original code will allocate NewElem->Offset with
length Cols=InputChans (cmslut.c:417). This results in heap buffer
overflow later.
---
 src/cmslut.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/cmslut.c')

diff --git a/src/cmslut.c b/src/cmslut.c
index df3dfc1..0a13018 100644
--- a/src/cmslut.c
+++ b/src/cmslut.c
@@ -414,13 +414,13 @@ cmsStage*  CMSEXPORT cmsStageAllocMatrix(cmsContext ContextID, cmsUInt32Number R
 
     if (Offset != NULL) {
 
-        NewElem ->Offset = (cmsFloat64Number*) _cmsCalloc(ContextID, Cols, sizeof(cmsFloat64Number));
+        NewElem ->Offset = (cmsFloat64Number*) _cmsCalloc(ContextID, Rows, sizeof(cmsFloat64Number));
         if (NewElem->Offset == NULL) {
            MatrixElemTypeFree(NewMPE);
            return NULL;
         }
 
-        for (i=0; i < Cols; i++) {
+        for (i=0; i < Rows; i++) {
                 NewElem ->Offset[i] = Offset[i];
         }
 
-- 
cgit v1.2.1