From 9b1b755e4dc9b6e91554ee7cd5777f96063a2a0d Mon Sep 17 00:00:00 2001
Message-Id: <9b1b755e4dc9b6e91554ee7cd5777f96063a2a0d.1513454215.git.jan.steffens@gmail.com>
In-Reply-To: <264981ddfd1984b25c629d8e3ef6cf25c70cc61a.1513454215.git.jan.steffens@gmail.com>
References: <264981ddfd1984b25c629d8e3ef6cf25c70cc61a.1513454215.git.jan.steffens@gmail.com>
From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
Date: Sat, 16 Dec 2017 20:40:51 +0100
Subject: [PATCH 2/2] Avoid buffer overflow when reading profile_id

The profile ID is 16 bytes, not 4 bytes. Use the union type specified by
the LCMS API.
---
 lib/colord/cd-icc.c | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/lib/colord/cd-icc.c b/lib/colord/cd-icc.c
index 99fa27b2988b26d0..0404278f8f2dba39 100644
--- a/lib/colord/cd-icc.c
+++ b/lib/colord/cd-icc.c
@@ -227,20 +227,20 @@ gchar *
 cd_icc_to_string (CdIcc *icc)
 {
 	CdIccPrivate *priv = GET_PRIVATE (icc);
+	cmsProfileID profile_id;
 	cmsInt32Number tag_size;
 	cmsTagSignature sig;
 	cmsTagSignature sig_link;
 	cmsTagTypeSignature tag_type;
 	gboolean ret;
 	gchar tag_str[5] = "    ";
 	GDateTime *created;
 	GError *error_local = NULL;
 	GString *str;
 	guint32 i;
 	guint32 number_tags;
 	guint32 tmp;
 	guint64 header_flags;
-	guint8 profile_id[4];
 
 	g_return_val_if_fail (CD_IS_ICC (icc), NULL);
 
@@ -335,12 +335,24 @@ cd_icc_to_string (CdIcc *icc)
 	g_string_append_printf (str, "  Creator\t= %s\n", tag_str);
 
 	/* profile ID */
-	cmsGetHeaderProfileID (priv->lcms_profile, profile_id);
-	g_string_append_printf (str, "  Profile ID\t= 0x%02x%02x%02x%02x\n",
-				profile_id[0],
-				profile_id[1],
-				profile_id[2],
-				profile_id[3]);
+	cmsGetHeaderProfileID (priv->lcms_profile, profile_id.ID8);
+	g_string_append_printf (str, "  Profile ID\t= %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n",
+				profile_id.ID8[0],
+				profile_id.ID8[1],
+				profile_id.ID8[2],
+				profile_id.ID8[3],
+				profile_id.ID8[4],
+				profile_id.ID8[5],
+				profile_id.ID8[6],
+				profile_id.ID8[7],
+				profile_id.ID8[8],
+				profile_id.ID8[9],
+				profile_id.ID8[10],
+				profile_id.ID8[11],
+				profile_id.ID8[12],
+				profile_id.ID8[13],
+				profile_id.ID8[14],
+				profile_id.ID8[15]);
 
 	/* print tags */
 	g_string_append (str, "\n");
-- 
2.15.1