lcms: patch CVE-2026-42798

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-42798 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-13 17:39:57 +00:00 · 2026-05-13 17:04:47 +12:00
parent 49a682f2ed
commit 100da99a04
2 changed files with 39 additions and 0 deletions
@@ -0,0 +1,38 @@
+From e5638450eafbe2e79b4dbbf9fcbc47998cf35427 Mon Sep 17 00:00:00 2001
+From: Marti Maria <marti.maria@littlecms.com>
+Date: Thu, 19 Feb 2026 08:48:50 +0100
+Subject: [PATCH] Fix for ParseCube integer overflow in LUT allocation
+
+thanks to @zerojackyi for reporting
+
+(cherry picked from commit 6a686019825a89b715d16671f18d049523354176)
+
+CVE: CVE-2026-42798
+Upstream-Status: Backport [https://github.com/mm2/Little-CMS/commit/6a686019825a89b715d16671f18d049523354176]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/cmscgats.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/cmscgats.c b/src/cmscgats.c
+index bccbf58..b099331 100644
+--- a/src/cmscgats.c
+++ b/src/cmscgats.c
+@@ -3128,7 +3128,16 @@ cmsBool ParseCube(cmsIT8* cube, cmsStage** Shaper, cmsStage** CLUT, char title[]
+ 
+             if (lut_size > 0) {
+ 
+-                int nodes = lut_size * lut_size * lut_size;
+                int nodes;
+                
+                /**
+                * Professional LUT‑generation tools (e.g., Nobe LutBake) list 65×65×65 as their highest supported size.                
+                */
+                if (lut_size > 65)
+                    return SynError(cube, "LUT size '%d' is over maximum of 65", lut_size);
+
+                nodes = lut_size * lut_size * lut_size;
+
+ 
+                 cmsFloat32Number* lut_table = _cmsMalloc(cube->ContextID, nodes * 3 * sizeof(cmsFloat32Number));
+                 if (lut_table == NULL) return FALSE;
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e9ce323c4b71c943a785db90142b228a"
 SRC_URI = "${SOURCEFORGE_MIRROR}/lcms/lcms2-${PV}.tar.gz \
        file://CVE-2026-41254_1.patch \
        file://CVE-2026-41254_2.patch \
+        file://CVE-2026-42798.patch \
 "
 SRC_URI[sha256sum] = "d873d34ad8b9b4cea010631f1a6228d2087475e4dc5e763eb81acc23d9d45a51"