From c2a3e60955887239efdd3652dd5fbec55b5d099b Mon Sep 17 00:00:00 2001
From: DreamPiggy <lizhuoli1126@126.com>
Date: Sat, 16 Feb 2019 15:48:23 +0800
Subject: [PATCH 1/2] Fix that WebP with custom ICC Profile will randomly
 crash, because `CGColorSpaceCreateWithICCProfile` does not copy the ICC data
 pointer, previous code cause a use-after-free issue

---
 SDWebImage/SDWebImageWebPCoder.m | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/SDWebImage/SDWebImageWebPCoder.m b/SDWebImage/SDWebImageWebPCoder.m
index 81f37543..0c56c236 100644
--- a/SDWebImage/SDWebImageWebPCoder.m
+++ b/SDWebImage/SDWebImageWebPCoder.m
@@ -342,7 +342,9 @@
         WebPChunkIterator chunk_iter;
         int result = WebPDemuxGetChunk(demuxer, "ICCP", 1, &chunk_iter);
         if (result) {
-            NSData *profileData = [NSData dataWithBytesNoCopy:(void *)chunk_iter.chunk.bytes length:chunk_iter.chunk.size freeWhenDone:NO];
+            // See #2618, the `CGColorSpaceCreateWithICCProfile` does not copy ICC Profile data, it only retain the byte ptr.
+            // When the libwebp `WebPDemuxer` dealloc, all chunk will be freed. So we must copy the ICC data (really cheap, less than 10KB)
+            NSData *profileData = [NSData dataWithBytes:chunk_iter.chunk.bytes length:chunk_iter.chunk.size];
             colorSpaceRef = CGColorSpaceCreateWithICCProfile((__bridge CFDataRef)profileData);
             WebPDemuxReleaseChunkIterator(&chunk_iter);
         }

From 5076a1dd4526fb36f4590b226259f0a7c27295c3 Mon Sep 17 00:00:00 2001
From: Wu Zhong <zhongwuzw@qq.com>
Date: Mon, 18 Feb 2019 14:54:59 +0800
Subject: [PATCH 2/2] Fix small typos

---
 SDWebImage/SDWebImageWebPCoder.m | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/SDWebImage/SDWebImageWebPCoder.m b/SDWebImage/SDWebImageWebPCoder.m
index 0c56c236..45430b28 100644
--- a/SDWebImage/SDWebImageWebPCoder.m
+++ b/SDWebImage/SDWebImageWebPCoder.m
@@ -342,8 +342,8 @@
         WebPChunkIterator chunk_iter;
         int result = WebPDemuxGetChunk(demuxer, "ICCP", 1, &chunk_iter);
         if (result) {
-            // See #2618, the `CGColorSpaceCreateWithICCProfile` does not copy ICC Profile data, it only retain the byte ptr.
-            // When the libwebp `WebPDemuxer` dealloc, all chunk will be freed. So we must copy the ICC data (really cheap, less than 10KB)
+            // See #2618, the `CGColorSpaceCreateWithICCProfile` does not copy ICC Profile data, it only retain `CFDataRef`.
+            // When the libwebp `WebPDemuxer` dealloc, all chunks will be freed. So we must copy the ICC data (really cheap, less than 10KB)
             NSData *profileData = [NSData dataWithBytes:chunk_iter.chunk.bytes length:chunk_iter.chunk.size];
             colorSpaceRef = CGColorSpaceCreateWithICCProfile((__bridge CFDataRef)profileData);
             WebPDemuxReleaseChunkIterator(&chunk_iter);