Skip to content

SBO in CIccTagFixedNum<>::GetValues() at IccTagBasic.cpp:5520 #696

Closed
Bug
#739
Closed
SBO in CIccTagFixedNum<>::GetValues() at IccTagBasic.cpp:5520#696
Bug
#739
Assignees
ChrisCoxArt
Labels
TriagedMaintainer indicates triaged status and ready for developer handofflibFuzzerlibFuzzer Related
@xsscx

Description

@xsscx
xsscx
opened on Mar 16, 2026

Maintainer Repro

2026-03-13 19:17:18 UTC

Git

1ffa7a8 (HEAD -> master, tag: v2.3.1.5, origin/master, origin/HEAD) v2.3.1.5 (#661)
4df1fe0 (HEAD -> master, origin/master, origin/HEAD) Fix: Init in iccV5DspObsToV4Dsp (#695)

git clone https://github.com/InternationalColorConsortium/iccDEV.git
cd iccDEV/Build
export CXX=clang++ && export CXXFLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer -g -O1 -fprofile-arcs -ftest-coverage" && export LDFLAGS="-fsanitize=address,undefined -fprofile-arcs" && cmake Cmake -DCMAKE_BUILD_TYPE=Debug -DENABLE_ASAN=ON -DENABLE_UBSAN=ON -DENABLE_COVERAGE=ON -DENABLE_TOOLS=ON
make -j32
        cd ../Testing/
        echo "=== Updating PATH ==="
         for d in ../Build/Tools/*; do
          [ -d "$d" ] && export PATH="$(realpath "$d"):$PATH"
         done
./CreateAllProfiles.sh
wget https://github.com/xsscx/fuzz/raw/refs/heads/master/graphics/icc/sbo-GetValues-FixedNum-crafted-cenc.icc
iccApplyToLink foo.bar 0 33 0 test 0.0 1.0 0 0 sbo-GetValues-FixedNum-crafted-cenc.icc 1  Display/sRGB_D65_MAT.icc 1

PoC Output

...
2026-03-15 20:49:54 (44.2 MB/s) - ‘sbo-GetValues-FixedNum-crafted-cenc.icc’ saved [704/704]
...
==381752==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x73ca9a901024 at pc 0x73ca9d7b1b2a bp 0x7ffd25cef320 sp 0x7ffd25cef318
WRITE of size 4 at 0x73ca9a901024 thread T0
SCARINESS: 51 (4-byte-write-stack-buffer-overflow)
    #0 0x73ca9d7b1b29 in CIccTagFixedNum<int, (icTagTypeSignature)1936077618>::GetValues(float*, unsigned int, unsigned int) const IccProfLib/IccTagBasic.cpp:5520:22
    #1 0x73ca9d7eaef1 in CIccTagStruct::GetElemNumberValue(unsigned int, float) IccProfLib/IccTagComposite.cpp:738:14
    #2 0x73ca9d588c85 in CIccDefaultEncProfileConverter::ConvertFromParams(CIccProfile*&, CIccTagStruct*, icHeader*) IccProfLib/IccEncoding.cpp:369:33
    #3 0x73ca9d58e229 in icConvertEncodingProfile(CIccProfile*&, CIccProfile*) IccProfLib/IccEncoding.cpp:602:68
    #4 0x73ca9d4ac585 in CIccXform::Create(CIccProfile*, bool, icRenderingIntent, icXformInterp, IIccProfileConnectionConditions*, icXformLutType, bool, CIccCreateXformHintManager*) IccProfLib/IccCmm.cpp:544:9
    #5 0x73ca9d5390ed in CIccCmm::AddXform(CIccProfile*, icRenderingIntent, icXformInterp, IIccProfileConnectionConditions*, icXformLutType, bool, CIccCreateXformHintManager*) IccProfLib/IccCmm.cpp:8359:15
    #6 0x62cbf639f7de in main Tools/CmdLine/IccApplyToLink/iccApplyToLink.cpp:771:21
    #7 0x73ca9ca2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #8 0x73ca9ca2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #9 0x62cbf62c2814 in _start (Build/Tools/IccApplyToLink/iccApplyToLink+0x39814) (BuildId: 7a1edc61e0197857f1bdf363516afb20e8c3008f)

Address 0x73ca9a901024 is located in stack of thread T0 at offset 36 in frame
    #0 0x73ca9d7eac1f in CIccTagStruct::GetElemNumberValue(unsigned int, float) IccProfLib/IccTagComposite.cpp:729

  This frame has 1 object(s):
    [32, 36) 'rv' (line 736) <== Memory access at offset 36 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow IccProfLib/IccTagBasic.cpp:5520:22 in CIccTagFixedNum<int, (icTagTypeSignature)1936077618>::GetValues(float*, unsigned int, unsigned int) const
Shadow bytes around the buggy address:
  0x73ca9a900d80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x73ca9a900e00: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x73ca9a900e80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x73ca9a900f00: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x73ca9a900f80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
=>0x73ca9a901000: f1 f1 f1 f1[04]f3 f3 f3 f5 f5 f5 f5 f5 f5 f5 f5
  0x73ca9a901080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x73ca9a901100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x73ca9a901180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x73ca9a901200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x73ca9a901280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==381752==ABORTING

Metadata

Metadata

Assignees

Labels

TriagedMaintainer indicates triaged status and ready for developer handofflibFuzzerlibFuzzer Related

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions