heap-buffer-overflow in CIccTagLut8::Validate() at IccTagLut.cpp:4880

[xsscx]

The same error in CIccTagLut8::Validate was hit with other files.

To Reproduce

BlacklightPosterTagLut8Samples.zip

1. iccDumpProfile -v BlacklightPoster_202143.icc
2. iccDumpProfile -v BlacklightPoster_411039.icc
3. Observe ASAN error

==24954==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000260 at pc 0x000105e47b4c bp 0x7ff7bb66cdb0 sp 0x7ff7bb66cda8
READ of size 8 at 0x602000000260 thread T0
    #0 0x105e47b4b in CIccTagLut8::Validate(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, CIccProfile const*) const IccTagLut.cpp:4880
    #1 0x105c31ef8 in CIccProfile::Validate(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, CIccProfile const*) const IccProfile.cpp:3004
    #2 0x105c3cc5e in ValidateIccProfile(char const*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, icValidateStatus&) IccProfile.cpp:3772
    #3 0x1048945af in main iccDumpProfile.cpp:193
    #4 0x7ff8056c7344 in start+0x774 (dyld:x86_64+0xfffffffffff5c344)

0x602000000260 is located 0 bytes after 16-byte region [0x602000000250,0x602000000260)
allocated by thread T0 here:
    #0 0x10642ab8d in _Znam+0x7d (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0xedb8d)
    #1 0x105e342f7 in CIccMBB::NewCurvesB() IccTagLut.cpp:3776
    #2 0x105e429bc in CIccTagLut8::Read(unsigned int, CIccIO*) IccTagLut.cpp:4619
    #3 0x105d20c96 in CIccTag::Read(unsigned int, CIccIO*, CIccProfile*) IccTagBasic.h:193
    #4 0x105c0d250 in CIccProfile::LoadTag(IccTagEntry*, CIccIO*, bool) IccProfile.cpp:1335
    #5 0x105c179d2 in CIccProfile::ReadValidate(CIccIO*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccProfile.cpp:961
    #6 0x105c3c810 in ValidateIccProfile(char const*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, icValidateStatus&) IccProfile.cpp:3762
    #7 0x1048945af in main iccDumpProfile.cpp:193
    #8 0x7ff8056c7344 in start+0x774 (dyld:x86_64+0xfffffffffff5c344)

Originally posted by @ChrisCoxArt in #397

[xsscx]

Repro

rm -rf iccDEV/
git clone https://github.com/InternationalColorConsortium/iccDEV.git
cd iccDEV
git checkout b656e807a4e8dcba23c962a0c3bb25bba1fc8ea9
git rev-parse HEAD && git show --no-patch --oneline
...
HEAD is now at b656e80  Add: Defense in Depth (#385)
b656e807a4e8dcba23c962a0c3bb25bba1fc8ea9
b656e80 (HEAD, origin/master, origin/HEAD, master)  Add: Defense in Depth (#385)
...
cmake   -S Build/Cmake -B .   -DCMAKE_EXPORT_COMPILE_COMMANDS=ON   -DCMAKE_INSTALL_PREFIX="$HOME/.local"   -DCMAKE_BUILD_TYPE=Debug   -DENABLE_TOOLS=ON   -DENABLE_STATIC_LIBS=ON   -DENABLE_SHARED_LIBS=ON   -DCMAKE_C_FLAGS_DEBUG="-O1 -g3 -fno-omit-frame-pointer -fsanitize=address,undefined"   -DCMAKE_CXX_FLAGS_DEBUG="-O1 -g3 -fno-omit-frame-pointer -fsanitize=address,undefined"   -DCMAKE_EXE_LINKER_FLAGS_DEBUG="-fsanitize=address,undefined -Wl,--build-id=sha1"   -DCMAKE_SHARED_LINKER_FLAGS_DEBUG="-fsanitize=address,undefined -Wl,--build-id=sha1"   -Wno-dev
cmake --build . -j$(nproc)
...
BIN=build/Tools/IccDumpProfile/iccDumpProfile
file "$BIN"
readelf -n "$BIN" | grep 'Build ID'
ASAN_OPTIONS=halt_on_error=1:detect_leaks=0 \
"$BIN" -v BlacklightPoster_202143.icc

git rev-parse HEAD && git show --no-patch --oneline
b656e80
b656e80 (HEAD -> master, origin/master, origin/HEAD) Add: Defense in Depth (#385)

Output

Tools/IccDumpProfile/iccDumpProfile: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=da410b918cd5ca5d590abd7fb7f4ca5469f2772c, for GNU/Linux 3.2.0, with debug_info, not stripped
...
ASAN_OPTIONS=halt_on_error=1:detect_leaks=0 "$BIN" -v BlacklightPoster_202143.icc
=================================================================
==78077==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5020000000e0 at pc 0x7509744c0683 bp 0x7ffd64d0c090 sp 0x7ffd64d0c088
READ of size 8 at 0x5020000000e0 thread T0
    #0 0x7509744c0682 in CIccTagLut8::Validate(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, CIccProfile const*) const /home/xss/repro-head/iccDEV/IccProfLib/IccTagLut.cpp:4880:15
    #1 0x75097421fad8 in CIccProfile::Validate(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, CIccProfile const*) const /home/xss/repro-head/iccDEV/IccProfLib/IccProfile.cpp:3005:37
    #2 0x75097422f0b5 in ValidateIccProfile(char const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, icValidateStatus&) /home/xss/repro-head/iccDEV/IccProfLib/IccProfile.cpp:3773:40
    #3 0x598594a2ab22 in main /home/xss/repro-head/iccDEV/Tools/CmdLine/IccDumpProfile/iccDumpProfile.cpp:193:12
    #4 0x75097322a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #5 0x75097322a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #6 0x59859494d5b4 in _start (/home/xss/repro-head/iccDEV/Tools/IccDumpProfile/iccDumpProfile+0x405b4) (BuildId: da410b918cd5ca5d590abd7fb7f4ca5469f2772c)

0x5020000000e0 is located 0 bytes after 16-byte region [0x5020000000d0,0x5020000000e0)
allocated by thread T0 here:
    #0 0x598594a26b41 in operator new[](unsigned long) (/home/xss/repro-head/iccDEV/Tools/IccDumpProfile/iccDumpProfile+0x119b41) (BuildId: da410b918cd5ca5d590abd7fb7f4ca5469f2772c)
    #1 0x7509744a1f16 in CIccMBB::NewCurvesB() /home/xss/repro-head/iccDEV/IccProfLib/IccTagLut.cpp:3776:15
    #2 0x7509744b7fe8 in CIccTagLut8::Read(unsigned int, CIccIO*) /home/xss/repro-head/iccDEV/IccProfLib/IccTagLut.cpp:4619:13
    #3 0x750974370f38 in CIccTag::Read(unsigned int, CIccIO*, CIccProfile*) /home/xss/repro-head/iccDEV/IccProfLib/IccTagBasic.h:193:92
    #4 0x7509741e15e5 in CIccProfile::LoadTag(IccTagEntry*, CIccIO*, bool) /home/xss/repro-head/iccDEV/IccProfLib/IccProfile.cpp:1335:14
    #5 0x7509741f2584 in CIccProfile::ReadValidate(CIccIO*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&) /home/xss/repro-head/iccDEV/IccProfLib/IccProfile.cpp:961:10
    #6 0x75097422e922 in ValidateIccProfile(char const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, icValidateStatus&) /home/xss/repro-head/iccDEV/IccProfLib/IccProfile.cpp:3763:19
    #7 0x598594a2ab22 in main /home/xss/repro-head/iccDEV/Tools/CmdLine/IccDumpProfile/iccDumpProfile.cpp:193:12
    #8 0x75097322a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x75097322a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #10 0x59859494d5b4 in _start (/home/xss/repro-head/iccDEV/Tools/IccDumpProfile/iccDumpProfile+0x405b4) (BuildId: da410b918cd5ca5d590abd7fb7f4ca5469f2772c)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/xss/repro-head/iccDEV/IccProfLib/IccTagLut.cpp:4880:15 in CIccTagLut8::Validate(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, CIccProfile const*) const
Shadow bytes around the buggy address:
  0x501ffffffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x501ffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x501fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x501fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x502000000000: fa fa fd fd fa fa 00 fa fa fa fd fa fa fa 02 fa
=>0x502000000080: fa fa fd fa fa fa 00 04 fa fa 00 00[fa]fa 04 fa
  0x502000000100: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x502000000180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x502000000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x502000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x502000000300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==78077==ABORTING

XNU x64

Darwin Kernel Version 24.6.0: Wed Oct 15 21:12:21 PDT 2025; root:xnu-11417.140.69.703.14~1/RELEASE_X86_64 x86_64
git rev-parse HEAD && git show --no-patch --oneline
b656e807a4e8dcba23c962a0c3bb25bba1fc8ea9
b656e80 (HEAD -> master, origin/master, origin/HEAD)  Add: Defense in Depth (#385)

[ChrisCoxArt]

Same basic cause as #397 fixed in the same branch.