Skip to content

UB at IccJsonUtil.cpp:444 #698

Closed
Bug
#739
Closed
UB at IccJsonUtil.cpp:444#698
Bug
#739
Assignees
xsscx
Labels
TriagedMaintainer indicates triaged status and ready for developer handofflibFuzzerlibFuzzer Related
@xsscx

Description

@xsscx
xsscx
opened on Mar 16, 2026

Maintainer Repro

2026-03-16 00:58:53 UTC

Git

1ffa7a8 (HEAD -> master, tag: v2.3.1.5, origin/master, origin/HEAD) v2.3.1.5 (#661)
4df1fe0 (HEAD -> master, origin/master, origin/HEAD) Fix: Init in iccV5DspObsToV4Dsp (#695)

git clone https://github.com/InternationalColorConsortium/iccDEV.git
cd iccDEV/Build
export CXX=clang++ && export CXXFLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer -g -O1 -fprofile-arcs -ftest-coverage" && export LDFLAGS="-fsanitize=address,undefined -fprofile-arcs" && cmake Cmake -DCMAKE_BUILD_TYPE=Debug -DENABLE_ASAN=ON -DENABLE_UBSAN=ON -DENABLE_COVERAGE=ON -DENABLE_TOOLS=ON
make -j32
        cd ../Testing/
        echo "=== Updating PATH ==="
         for d in ../Build/Tools/*; do
          [ -d "$d" ] && export PATH="$(realpath "$d"):$PATH"
         done
./CreateAllProfiles.sh
wget https://github.com/xsscx/fuzz/raw/refs/heads/master/graphics/icc/sbo-GetValues-FixedNum-crafted-cenc.icc
ASAN_OPTIONS=print_scariness=1:halt_on_error=0:abort_on_error=0:print_full_stacktrace=1:detect_leaks=0 iccApplyNamedCmm -cfg <(echo '{"dataFiles":{"srcType":"colorData"},"profileSequence":[{"iccFile":"sbo-GetValues-FixedNum-crafted-cenc.icc","intent":1},{"iccFile":"Display/sRGB_D65_MAT.icc","intent":1}],"colorData":{"space":"RGB ","encoding":"float","data":[{"values":[0.5,0.5,0.5]}]}}')

PoC Output

Tools/CmdLine/IccCommon/IccJsonUtil.cpp:444:7: runtime error: addition of unsigned offset to 0x502000000010 overflowed to 0x50200000000f
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior Tools/CmdLine/IccCommon/IccJsonUtil.cpp:444:7

Patched Output

ASAN_OPTIONS=print_scariness=1:halt_on_error=0:abort_on_error=0:print_full_stacktrace=1:detect_leaks=0 iccApplyNamedCmm -cfg <(echo '{"dataFiles":{"srcType":"colorData"},"profileSequence":[{"iccFile":"sbo-GetValues-FixedNum-crafted-cenc.icc","intent":1},{"iccFile":"Display/sRGB_D65_MAT.icc","intent":1}],"colorData":{"space":"RGB ","encoding":"float","data":[{"values":[0.5,0.5,0.5]}]}}')
Unable to read configuration from '/dev/fd/63'

Metadata

Metadata

Assignees

Labels

TriagedMaintainer indicates triaged status and ready for developer handofflibFuzzerlibFuzzer Related

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions