Skip to content

heap-buffer-overflow in CIccTagTextDescription::ReleaseUnicode() at IccTagBasic.cpp:2373 #396

New issue
New issue
Closed
Report
#400
Closed
heap-buffer-overflow in CIccTagTextDescription::ReleaseUnicode() at IccTagBasic.cpp:2373#396
Report
#400
Assignees
ChrisCoxArt
Labels
BugBug ReportIn ScopeMaintainer indicates In Scope ReportSecuritySecurity RelatedTriagedMaintainer indicates triaged status and ready for developer handoff
@ChrisCoxArt

Description

@ChrisCoxArt
ChrisCoxArt
opened on Jan 1, 2026

Describe the bug

ASAN error in CIccTagTextDescription::ReleaseUnicode()
Reading over the end of a buffer for a unicode string.

To Reproduce

mt600za7_73352.pf.zip

  1. iccDumpProfile -v mt600za7_73352.pf
  2. observe ASan error
==25553==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000252 at pc 0x000103e87fa7 bp 0x7ff7bd551b50 sp 0x7ff7bd551b48
READ of size 2 at 0x602000000252 thread T0
    #0 0x103e87fa6 in CIccTagTextDescription::ReleaseUnicode() IccTagBasic.cpp:2373
    #1 0x103e8705a in CIccTagTextDescription::Read(unsigned int, CIccIO*) IccTagBasic.cpp:2125
    #2 0x103f20c06 in CIccTag::Read(unsigned int, CIccIO*, CIccProfile*) IccTagBasic.h:193
    #3 0x103e0d530 in CIccProfile::LoadTag(IccTagEntry*, CIccIO*, bool) IccProfile.cpp:1335
    #4 0x103e17cb2 in CIccProfile::ReadValidate(CIccIO*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccProfile.cpp:961
    #5 0x103e3cb20 in ValidateIccProfile(char const*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, icValidateStatus&) IccProfile.cpp:3763
    #6 0x1029af5af in main iccDumpProfile.cpp:193
    #7 0x7ff8056c7344 in start+0x774 (dyld:x86_64+0xfffffffffff5c344)

0x602000000252 is located 0 bytes after 2-byte region [0x602000000250,0x602000000252)
allocated by thread T0 here:
    #0 0x10461a80d in malloc+0x9d (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0xdd80d)
    #1 0x103e83cce in CIccTagTextDescription::CIccTagTextDescription() IccTagBasic.cpp:1935
    #2 0x103e84038 in CIccTagTextDescription::CIccTagTextDescription() IccTagBasic.cpp:1930
    #3 0x103fa44bb in CIccSpecTagFactory::CreateTag(icTagTypeSignature) IccTagFactory.cpp:383
    #4 0x103facd2e in CIccTagCreator::DoCreateTag(icTagTypeSignature) IccTagFactory.cpp:556
    #5 0x103e7316e in CIccTagCreator::CreateTag(icTagTypeSignature) IccTagFactory.h:276
    #6 0x103e73112 in CIccTag::Create(icTagTypeSignature) IccTagBasic.cpp:145
    #7 0x103e0cf34 in CIccProfile::LoadTag(IccTagEntry*, CIccIO*, bool) IccProfile.cpp:1323
    #8 0x103e17cb2 in CIccProfile::ReadValidate(CIccIO*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccProfile.cpp:961
    #9 0x103e3cb20 in ValidateIccProfile(char const*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, icValidateStatus&) IccProfile.cpp:3763
    #10 0x1029af5af in main iccDumpProfile.cpp:193
    #11 0x7ff8056c7344 in start+0x774 (dyld:x86_64+0xfffffffffff5c344)

Expected behavior

No buffer overflow.

Additional context

Trigger is a unicode string of length 1, but several parts of the code are potentially unsafe.
This was observed on 8 different fuzzed files originating from the mt600za7.pf template.

Metadata

Metadata

Assignees

Labels

BugBug ReportIn ScopeMaintainer indicates In Scope ReportSecuritySecurity RelatedTriagedMaintainer indicates triaged status and ready for developer handoff

Type

Report

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions