Skip to content

heap-buffer-overflow in CIccTagLut16::Validate() at IccTagLut.cpp:5305 #397

New issue
New issue
Closed
Report
#400
Closed
heap-buffer-overflow in CIccTagLut16::Validate() at IccTagLut.cpp:5305#397
Report
#400
Assignees
ChrisCoxArt
Labels
BugBug ReportIn ScopeMaintainer indicates In Scope ReportSecuritySecurity RelatedTriagedMaintainer indicates triaged status and ready for developer handoff
@ChrisCoxArt

Description

@ChrisCoxArt
ChrisCoxArt
opened on Jan 1, 2026

Describe the bug

ASAN errors in CIccTagLut16::Validate()

To Reproduce

mt600TagLut16Samples.zip

  1. iccDumpProfile -v mt600za7_148848.pf
  2. observe ASan error
==67128==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000578 at pc 0x00010ab50b93 bp 0x7ff7b69fddb0 sp 0x7ff7b69fdda8
READ of size 8 at 0x602000000578 thread T0
    #0 0x10ab50b92 in CIccTagLut16::Validate(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, CIccProfile const*) const IccTagLut.cpp:5305
    #1 0x10a932208 in CIccProfile::Validate(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, CIccProfile const*) const IccProfile.cpp:3005
    #2 0x10a93cf6e in ValidateIccProfile(char const*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, icValidateStatus&) IccProfile.cpp:3773
    #3 0x1095035af in main iccDumpProfile.cpp:193
    #4 0x7ff8056c7344 in start+0x774 (dyld:x86_64+0xfffffffffff5c344)

0x602000000578 is located 0 bytes after 8-byte region [0x602000000570,0x602000000578)
allocated by thread T0 here:
    #0 0x10b12ab8d in _Znam+0x7d (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0xedb8d)
    #1 0x10ab34267 in CIccMBB::NewCurvesB() IccTagLut.cpp:3776
    #2 0x10ab4b635 in CIccTagLut16::Read(unsigned int, CIccIO*) IccTagLut.cpp:5071
    #3 0x10aa20c06 in CIccTag::Read(unsigned int, CIccIO*, CIccProfile*) IccTagBasic.h:193
    #4 0x10a90d530 in CIccProfile::LoadTag(IccTagEntry*, CIccIO*, bool) IccProfile.cpp:1335
    #5 0x10a917cb2 in CIccProfile::ReadValidate(CIccIO*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccProfile.cpp:961
    #6 0x10a93cb20 in ValidateIccProfile(char const*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, icValidateStatus&) IccProfile.cpp:3763
    #7 0x1095035af in main iccDumpProfile.cpp:193
    #8 0x7ff8056c7344 in start+0x774 (dyld:x86_64+0xfffffffffff5c344)
  1. iccDumpProfile -v mt600za7_222921.pf
  2. observe ASan error
==6381==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000578 at pc 0x00010665234b bp 0x7ff7bae72db0 sp 0x7ff7bae72da8
READ of size 8 at 0x602000000578 thread T0
    #0 0x10665234a in CIccTagLut16::Validate(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, CIccProfile const*) const IccTagLut.cpp:5346
    #1 0x106432208 in CIccProfile::Validate(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, CIccProfile const*) const IccProfile.cpp:3005
    #2 0x10643cf6e in ValidateIccProfile(char const*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, icValidateStatus&) IccProfile.cpp:3773
    #3 0x10508e5af in main iccDumpProfile.cpp:193
    #4 0x7ff8056c7344 in start+0x774 (dyld:x86_64+0xfffffffffff5c344)

0x602000000578 is located 0 bytes after 8-byte region [0x602000000570,0x602000000578)
allocated by thread T0 here:
    #0 0x106c2ab8d in _Znam+0x7d (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0xedb8d)
    #1 0x106633ca2 in CIccMBB::NewCurvesA() IccTagLut.cpp:3731
    #2 0x10664c275 in CIccTagLut16::Read(unsigned int, CIccIO*) IccTagLut.cpp:5096
    #3 0x106520c06 in CIccTag::Read(unsigned int, CIccIO*, CIccProfile*) IccTagBasic.h:193
    #4 0x10640d530 in CIccProfile::LoadTag(IccTagEntry*, CIccIO*, bool) IccProfile.cpp:1335
    #5 0x106417cb2 in CIccProfile::ReadValidate(CIccIO*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccProfile.cpp:961
    #6 0x10643cb20 in ValidateIccProfile(char const*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, icValidateStatus&) IccProfile.cpp:3763
    #7 0x10508e5af in main iccDumpProfile.cpp:193
    #8 0x7ff8056c7344 in start+0x774 (dyld:x86_64+0xfffffffffff5c344)

Expected behavior

No buffer overflows.

Additional context

Trigger is LUTs where the input or output curve counts don't match the PCS and colorspace.
Fuzzed files hit this in 2 locations, one on input curves, one for output curves.
The same error exists in CIccTagLutBtoA::Validate(), and CIccTagLut8::Validate().
I had already patched CIccTagLutAtoB::Validate() for similar errors.

Metadata

Metadata

Assignees

Labels

BugBug ReportIn ScopeMaintainer indicates In Scope ReportSecuritySecurity RelatedTriagedMaintainer indicates triaged status and ready for developer handoff

Type

Report

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions