From b0068c387bf4005f26170964351d707c5cc90ac2 Mon Sep 17 00:00:00 2001
From: Nico Weber <thakis@chromium.org>
Date: Fri, 6 Jan 2023 12:06:12 -0500
Subject: [PATCH] LibGfx: Verify ICC reserved header bytes are zero

I checked that they are zero for all profiles in Compact-ICC-Profiles
and for all .icc files in /Library/ColorSync and
/System/Library/ColorSync on my Mac (running macOS 12.6.2).
---
 Userland/Libraries/LibGfx/ICCProfile.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/Userland/Libraries/LibGfx/ICCProfile.cpp b/Userland/Libraries/LibGfx/ICCProfile.cpp
index 406a320387..c56e155833 100644
--- a/Userland/Libraries/LibGfx/ICCProfile.cpp
+++ b/Userland/Libraries/LibGfx/ICCProfile.cpp
@@ -259,6 +259,15 @@ Optional<Crypto::Hash::MD5::DigestType> parse_profile_id(ICCHeader const& header
 
     return md5;
 }
+
+ErrorOr<void> parse_reserved(ICCHeader const& header)
+{
+    // ICC v4, 7.2.19 Reserved field
+    // "This field of the profile header is reserved for future ICC definition and shall be set to zero."
+    if (!all_bytes_are_zero(header.reserved))
+        return Error::from_string_literal("ICC::Profile: Reserved header bytes are not zero");
+    return {};
+}
 }
 
 StringView device_class_name(DeviceClass device_class)
@@ -391,6 +400,7 @@ ErrorOr<NonnullRefPtr<Profile>> Profile::try_load_from_externally_owned_memory(R
     profile->m_rendering_intent = TRY(parse_rendering_intent(header));
     profile->m_pcs_illuminant = TRY(parse_pcs_illuminant(header));
     profile->m_id = parse_profile_id(header);
+    TRY(parse_reserved(header));
 
     return profile;
 }