From e53be5c1280aa16c844f64352a549f7e923db635 Mon Sep 17 00:00:00 2001
From: ChrisCoxArt <ccox@comcast.net>
Date: Sat, 28 Feb 2026 15:47:47 -0800
Subject: [PATCH] validate row column counts after reading matrix

Fixes #627
---
 IccProfLib/IccTagBasic.cpp | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/IccProfLib/IccTagBasic.cpp b/IccProfLib/IccTagBasic.cpp
index ecd6b5ded..0d3016610 100644
--- a/IccProfLib/IccTagBasic.cpp
+++ b/IccProfLib/IccTagBasic.cpp
@@ -4654,11 +4654,12 @@ bool CIccTagSparseMatrixArray::Read(icUInt32Number size, CIccIO *pIO)
       if (!mtx.Reset(pMatrix, nBytesPerMatrix, icSparseMatrixFloatNum, true))
         return false;
 
-      size_t num_entries = mtx.GetNumEntries();
+      icUInt16Number num_entries = mtx.GetNumEntries();
       if (num_entries == 0)
         return false;
 
-      if (mtx.GetNumEntries()>mtx.MaxEntries(nChannels*sizeof(icFloatNumber), mtx.Rows(), sizeof(icFloatNumber)))
+      icUInt32Number maxEntries = mtx.MaxEntries(nChannels*sizeof(icFloatNumber), mtx.Rows(), sizeof(icFloatNumber));
+      if (num_entries > maxEntries)
         return false;
     
       n = (icUInt32Number) (num_entries*sizeof(icUInt16Number));
@@ -4740,6 +4741,13 @@ bool CIccTagSparseMatrixArray::Read(icUInt32Number size, CIccIO *pIO)
       nSizeLeft -= n;
       pos += n;
 
+      // validate column counts that will be used later (and could cause a crash)
+      for (j=0; j<(int)mtx.Rows(); j++) {
+        n = mtx.GetNumRowColumns(j);
+        if (n > mtx.Cols())
+          return false;
+      }
+
       nAligned = ((pos+3)/4)*4;
       if (nAligned != pos) {
         n = nAligned - pos;