From 2550e28c834f2f02033c3318eb5eaf508e4ef388 Mon Sep 17 00:00:00 2001
From: David Capello <david@igarastudio.com>
Date: Fri, 5 Jun 2020 11:59:11 -0300
Subject: [PATCH] Fix crash recovering sessions from v1.2.9 or older

The issue here was the missing color space was allocating an huge
std::vector() because we had an invalid color space size from
read32().
---
 src/app/crash/read_document.cpp | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/src/app/crash/read_document.cpp b/src/app/crash/read_document.cpp
index 3a71191ad..eb7316f44 100644
--- a/src/app/crash/read_document.cpp
+++ b/src/app/crash/read_document.cpp
@@ -343,14 +343,18 @@ private:
     }
 
     // Read color space
-    gfx::ColorSpacePtr colorSpace = readColorSpace(s);
-    if (colorSpace)
-      spr->setColorSpace(colorSpace);
+    if (!s.eof()) {
+      gfx::ColorSpacePtr colorSpace = readColorSpace(s);
+      if (colorSpace)
+        spr->setColorSpace(colorSpace);
+    }
 
     // Read grid bounds
-    gfx::Rect gridBounds = readGridBounds(s);
-    if (!gridBounds.isEmpty())
-      spr->setGridBounds(gridBounds);
+    if (!s.eof()) {
+      gfx::Rect gridBounds = readGridBounds(s);
+      if (!gridBounds.isEmpty())
+        spr->setGridBounds(gridBounds);
+    }
 
     return spr.release();
   }
@@ -360,6 +364,12 @@ private:
     const gfx::ColorSpace::Flag flags = (gfx::ColorSpace::Flag)read16(s);
     const double gamma = fixmath::fixtof(read32(s));
     const size_t n = read32(s);
+
+    // If the color space file is to big, it's because the sprite file
+    // is invalid or or from an old session without color spcae.
+    if (n > 1024*1024*64) // 64 MB is too much for an ICC file
+      return nullptr;
+
     std::vector<uint8_t> buf(n);
     if (n)
       s.read((char*)&buf[0], n);