All started by debugging an application that stopped writing png files after upgrade to libpng 1.6 This version of libpng added a check for the size being a multiple of 4. Doing a check on all the icm installed on the system also Calligra, had some profiles whit an odd size, these are: Reproducible: Always Actual Results: 154326 /usr/share/color/icc/krita/lcmslabi.icm 154323 /usr/share/color/icc/krita/lcmsxyzi.icm 827 /usr/share/color/icc/krita/scRGB.icm Expected Results: -rw-r--r-- 1 vivo users 154328 9 mag 19.00 lcmslabi.icm -rw-r--r-- 1 vivo users 154324 9 mag 19.00 lcmsxyzi.icm -rw-r--r-- 1 vivo users 828 9 mag 19.00 scRGB.icm bash function used to pad the attached profiles pad_icc() { local PROFILENAME="$1" local oldsize=$(stat --printf='%s' "${PROFILENAME}") local newsize=$(( (oldsize +3 ) / 4 * 4 )) local hexnewsize if [[ $oldsize != $newsize ]] ; then hexnewsize=$(printf '%08X\n' ${newsize}) hexnewsize=$(echo ${hexnewsize} | sed -e 's:..:\\x\0:g') # write the new size (4 byte file) echo -ne ${hexnewsize} > "${PROFILENAME}".new # now append the original profile w/o the first 4 byte dd if="${PROFILENAME}" ibs=4 skip=1 >> "${PROFILENAME}".new # then pad to the wanted size for i in $(seq $(( newsize - oldsize)) ) ; do echo -ne \\00 >> "${PROFILENAME}".new done # finally move to the original mv "${PROFILENAME}".new "${PROFILENAME}" fi } pad_icc lcmslabi.icm pad_icc lcmsxyzi.icm pad_icc scRGB.icm
Created attachment 79805 [details] calligra_icm.zip the three files padded and with header modified
nearly forgotten but important, from: https://bugs.gentoo.org/show_bug.cgi?id=466798#c12 Hi, that's Marti, the author of lcms. I've taken a look on that and those bogus profiles comes from diverse origins. The "2.1" and "2.3" version stamp you see in the profile does *not* refer to littlecms library, but to the ICC spec they are supposed to follow. Current ICC spec is 4.3, so go figure how old those profiles are. I can identify lcmslab and lcmsxyz as being prototypes created by myself about 15 years ago, in the old days of lcms 1.1 I would just discard those profiles as they are actually useless. For the remaining ones, I searching in my profile collection I can find same file names but with size multiple of 4. I wonder if any spare bytes have been added by I don't know which magic process. Otherwise, the check is fine but probably too restrictive for untrusted environments and too permissive if you want to take security into account. The profile header contains the expected length, I would check that field and probably the MD5 id if you want to make sure the profile have not been stamped.
Thanks! I'll follow the suggestions to remove the lcms profiles and use your padded scRGB profile (which we created ourselves, iirc).
Git commit d97b7d6a5e46c057f6660cd76409b2eb62943612 by Boudewijn Rempt. Committed on 18/05/2013 at 10:53. Pushed by rempt into branch 'master'. Update the scRGB profile M +- -- krita/data/profiles/scRGB.icm http://commits.kde.org/calligra/d97b7d6a5e46c057f6660cd76409b2eb62943612
Git commit 20556d6bb8b5e1ed72fd1dbf64b02e3c6aaff378 by Boudewijn Rempt. Committed on 18/05/2013 at 10:53. Pushed by rempt into branch 'calligra/2.7'. Update the scRGB profile M +- -- krita/data/profiles/scRGB.icm http://commits.kde.org/calligra/20556d6bb8b5e1ed72fd1dbf64b02e3c6aaff378