Headline
CVE-2023-46867: Bugs from Fuzzing · Issue #54 · InternationalColorConsortium/DemoIccMAX
In International Color Consortium DemoIccMAX 79ecb74, CIccXformMatrixTRC::GetCurve in IccCmm.cpp in libSampleICC.a has a NULL pointer dereference.
Bug 1 - Heap Buffer Overflow in CIccCLUT::Interp3d
Severity: Reference Implementation | High
Description
A heap buffer overflow has been identified in the CIccCLUT::Interp3d method. This vulnerability can lead to potential crashes or undefined behavior when certain conditions are met.
Steps to Reproduce
Utilize the CIccCLUT::Interp3d method on a CIccCLUT object under conditions where m_nNumPoints * m_nOutput equals 0.
Attempt to access indices beyond the allocated size of the m_pData array.
Debug Session
(lldb) fr se 5
frame #5: 0x0000000100e8c982 libIccProfLib2.2.dylib`CIccCLUT::Interp3d(this=0x0000614000000440, destPixel=0x00007ff7bfefde80, srcPixel=0x00007ff7bfefde80) const at IccTagLut.cpp:2594:27
2591 return;
2592 }
2593
-> 2594 destPixel[i] = p[n000] * dF0 + p[n001] * dF1 + p[n010] * dF2 + p[n011] * dF3 +
2595 p[n100] * dF4 + p[n101] * dF5 + p[n110] * dF6 + p[n111] * dF7;
2596 }
2597 }
(lldb) frame variable
(CIccCLUT *) this = 0x0000614000000440
(icFloatNumber *) destPixel = 0x00007ff7bfefde80
(const icFloatNumber *) srcPixel = 0x00007ff7bfefde80
(icUInt8Number) mx = '\xff'
(icUInt8Number) my = '\xff'
(icUInt8Number) mz = '\xff'
(icFloatNumber) x = 0
(icFloatNumber) y = 0
(icFloatNumber) z = 0
(icUInt32Number) ix = 0
(icUInt32Number) iy = 0
(icUInt32Number) iz = 0
(icFloatNumber) u = 0
(icFloatNumber) t = 0
(icFloatNumber) s = 0
(icFloatNumber) ns = 1
(icFloatNumber) nt = 1
(icFloatNumber) nu = 1
(icFloatNumber) dF0 = 1
(icFloatNumber) dF1 = 0
(icFloatNumber) dF2 = 0
(icFloatNumber) dF3 = 0
(icFloatNumber) dF4 = 0
(icFloatNumber) dF5 = 0
(icFloatNumber) dF6 = 0
(icFloatNumber) dF7 = 0
(icUInt32Number) maxIndex = 50331647
(icFloatNumber *) pStart = 0x00006020000002d0
(int) i = 0
(icFloatNumber *) p = 0x00006020000002d0
(lldb) dis -s $pc-32 -c 24
libIccProfLib2.2.dylib`CIccCLUT::Interp3d:
0x100e8c962 <+2978>: loopne 0x100e8c961 ; <+2977> at IccTagLut.cpp
Symptoms
- The program crashes with an AddressSanitizer report indicating a heap-buffer-overflow in CIccCLUT::Interp3d.
- The value of m_nNumPoints * m_nOutput is 0, indicating that the m_pData array might not have been allocated or is of size 0.
- Attempts are made to access indices as high as 3 and potentially up to 50331647 (as indicated by the maxIndex variable).
Potential Causes
- Improper initialization or setup of the CIccCLUT object.
- Possible errors in the copy constructor or assignment operator of CIccCLUT.
-The m_pData array might be reallocated with a different size elsewhere in the code.
-Invalid or corrupt input data affecting the CIccCLUT object’s construction.
Bug 2 - Segmentation Fault in CIccXformMatrixTRC::GetCurve
Severity: Reference Implementation | High
Description
A segmentation fault (SEGV) has been identified in the CIccXformMatrixTRC::GetCurve method within the IccCmm.cpp file, specifically at line 5240. The crash appears to be due to a read memory access at the zero address, suggesting a potential null pointer dereference.
Steps to Reproduce
Invoke the CIccXformMatrixTRC::GetCurve method with specific input that triggers the SEGV.
The exact input causing this behavior needs further investigation.
Observe the crash due to a segmentation fault.
Crash Details
AddressSanitizer:DEADLYSIGNAL
=================================================================
==59095==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000104511cd4 bp 0x7ff7bc556550 sp 0x7ff7bc556500 T0)
==59095==The signal is caused by a READ memory access.
==59095==Hint: address points to the zero page.
#0 0x104511cd4 in CIccXformMatrixTRC::GetCurve(unsigned int) const IccCmm.cpp:5240
#1 0x10451107a in CIccXformMatrixTRC::Begin() IccCmm.cpp:5100
#2 0x1045394a8 in CIccCmm::Begin(bool, bool) IccCmm.cpp:8297
#3 0x1045905a4 in CIccEvalCompare::EvaluateProfile(CIccProfile*, unsigned char, icRenderingIntent, icXformInterp, bool) IccEval.cpp:110
#4 0x104591419 in CIccEvalCompare::EvaluateProfile(char const*, unsigned char, icRenderingIntent, icXformInterp, bool) IccEval.cpp:197
#5 0x1039ae0d2 in main iccRoundTrip.cpp:168
#6 0x7ff80dee53a5 in start+0x795 (dyld:x86_64+0xfffffffffff5c3a5)
==59095==Register values:
rax = 0x0000000000000000 rbx = 0x00007ff7bc556900 rcx = 0x0000100000000000 rdx = 0x0000000000000000
rdi = 0x00007ff7bc5562c0 rsi = 0x00007ff7bc556320 rbp = 0x00007ff7bc556550 rsp = 0x00007ff7bc556500
r8 = 0x0000604000001610 r9 = 0xf3f3f300f1f1f100 r10 = 0x00007fffffffffff r11 = 0xffffffffffffff20
r12 = 0x00007ff7bc557590 r13 = 0x0000000000000000 r14 = 0x00000001039addb0 r15 = 0x00007ff7bc557710
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV IccCmm.cpp:5240 in CIccXformMatrixTRC::GetCurve(unsigned int) const
Symptoms
The program crashes with an AddressSanitizer report indicating a SEGV in CIccXformMatrixTRC::GetCurve.
The memory access causing the SEGV is a read operation from address 0x000000000000, which points to the zero page.
The crash occurs specifically at line IccCmm.cpp:5240.
Potential Causes
Dereferencing a null pointer or uninitialized pointer in the CIccXformMatrixTRC::GetCurve method.
An invalid curve index or parameter passed to the method, leading to out-of-bounds memory access.
Memory corruption elsewhere in the application affecting the behavior of the CIccXformMatrixTRC::GetCurve method.
Bugs 3 - 6
Bug Report: Undefined Behavior in IccTagLut.cpp and IccProfileXml.cpp
Severity: Reference Implementation | High
The UndefinedBehaviorSanitizer tool has identified multiple instances of undefined behavior within the IccTagLut.cpp and IccProfileXml.cpp files.
Bug 3 Description
File: IccTagLut.cpp
Line: 1798
Issue: Index -1 is being used to access an array of type icUInt32Number[16], which results in out-of-bounds access.
Bug 4 Description
File: IccTagLut.cpp
Line: 1799
Issue: Index -1 is being used to access an array of type icUInt8Number[16], which results in out-of-bounds access.
Bug 5 Description
File: IccProfileXml.cpp
Line: 128
Issue: Loading a value 2543294359 which is not a valid value for the type icPlatformSignature.
Bug 6 Description
File: IccProfileXml.cpp
Line: 129
Issue: Loading a value 2543294359 which is not a valid value for the type icPlatformSignature.
Bug 7
Severity: Reference Implementation | High
Description
Buffer Overflow in (icTagTypeSignature)1969828150>::ParseText(pBuf=0x0000625000007900, nSize=4096, szText="") at IccUtilXml.cpp:1003:10
This function seems to be involved in parsing text into an array type, with a specific template instantiation for unsigned short.
Variables at Crash Time:
pBuf: A pointer to the buffer where parsed data is stored.
nSize: The size of the buffer (4096).
szText: A pointer to the text being parsed.
n: Counter variable, which is also 4096 at the time of the crash.
Crash Location in Code:
The crash occurs in the loop: while (*szText && n<nSize) {.
The error indicates that when n equals nSize, the loop still attempts to read *szText, which is beyond the allocated buffer.
Steps to Reproduce****PoC
Testing % ./iccFromXML mcs/17ChanWithSpots-MVIS.xml mcs/17ChanWithSpots-MVIS.icc
Crash Details
mcs % ../iccFromXML 17ChanWithSpots-MVIS.xml 17ChanWithSpots-MVIS.icc
iccFromXML(83678,0x7ff84af6cb40) malloc: nano zone abandoned due to inability to reserve vm space.
=================================================================
==83678==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b000006bff at pc 0x0001064dc32d bp 0x7ff7ba4b2190 sp 0x7ff7ba4b2188
READ of size 1 at 0x62b000006bff thread T0
#0 0x1064dc32c in CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseText(unsigned short*, unsigned int, char const*) IccUtilXml.cpp:1003
#1 0x1064ddcf8 in CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseTextArrayNum(char const*, unsigned int, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccUtilXml.cpp:821
#2 0x1063e645f in CIccSinglSampledeCurveXml::ParseXml(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccMpeXml.cpp:646
#3 0x1063ec27d in CIccMpeXmlCurveSet::ParseXml(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccMpeXml.cpp:986
#4 0x1064019f0 in CIccMpeXmlCalculator::ParseImport(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccMpeXml.cpp:2180
#5 0x106414905 in CIccMpeXmlCalculator::ParseXml(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccMpeXml.cpp:2697
#6 0x1064a2dc7 in CIccTagXmlMultiProcessElement::ParseElement(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccTagXml.cpp:3997
#7 0x1064a402e in CIccTagXmlMultiProcessElement::ParseXml(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccTagXml.cpp:4057
#8 0x10645421e in CIccProfileXml::ParseTag(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccProfileXml.cpp:700
#9 0x106455a6e in CIccProfileXml::ParseXml(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccProfileXml.cpp:801
#10 0x106455f5f in CIccProfileXml::LoadXml(char const*, char const*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*) IccProfileXml.cpp:858
#11 0x105a50043 in main IccFromXml.cpp:68
#12 0x7ff8075e23a5 in start+0x795 (dyld:x86_64+0xfffffffffff5c3a5)
0x62b000006bff is located 0 bytes after 27135-byte region [0x62b000000200,0x62b000006bff)
allocated by thread T0 here:
#0 0x10796cfbd in wrap__Znam+0x7d (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0xebfbd)
#1 0x1063e5a90 in CIccSinglSampledeCurveXml::ParseXml(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccMpeXml.cpp:582
#2 0x1063ec27d in CIccMpeXmlCurveSet::ParseXml(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccMpeXml.cpp:986
#3 0x1064019f0 in CIccMpeXmlCalculator::ParseImport(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccMpeXml.cpp:2180
#4 0x106414905 in CIccMpeXmlCalculator::ParseXml(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccMpeXml.cpp:2697
#5 0x1064a2dc7 in CIccTagXmlMultiProcessElement::ParseElement(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccTagXml.cpp:3997
#6 0x1064a402e in CIccTagXmlMultiProcessElement::ParseXml(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccTagXml.cpp:4057
#7 0x10645421e in CIccProfileXml::ParseTag(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccProfileXml.cpp:700
#8 0x106455a6e in CIccProfileXml::ParseXml(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccProfileXml.cpp:801
#9 0x106455f5f in CIccProfileXml::LoadXml(char const*, char const*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*) IccProfileXml.cpp:858
#10 0x105a50043 in main IccFromXml.cpp:68
#11 0x7ff8075e23a5 in start+0x795 (dyld:x86_64+0xfffffffffff5c3a5)
SUMMARY: AddressSanitizer: heap-buffer-overflow IccUtilXml.cpp:1003 in CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseText(unsigned short*, unsigned int, char const*)
Shadow bytes around the buggy address:
0x62b000006900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x62b000006980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x62b000006a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x62b000006a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x62b000006b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x62b000006b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[07]
0x62b000006c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62b000006c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62b000006d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62b000006d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62b000006e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==83678==ABORTING
zsh: abort ../iccFromXML 17ChanWithSpots-MVIS.xml 17ChanWithSpots-MVIS.icc
lldb session
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = Heap buffer overflow
* frame #0: 0x0000000101f68cc0 libclang_rt.asan_osx_dynamic.dylib`__asan::AsanDie()
frame #1: 0x0000000101f82c5f libclang_rt.asan_osx_dynamic.dylib`__sanitizer::Die() + 175
frame #2: 0x0000000101f66f2a libclang_rt.asan_osx_dynamic.dylib`__asan::ScopedInErrorReport::~ScopedInErrorReport() + 1178
frame #3: 0x0000000101f661dd libclang_rt.asan_osx_dynamic.dylib`__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) + 1773
frame #4: 0x0000000101f67328 libclang_rt.asan_osx_dynamic.dylib`__asan_report_load1 + 40
frame #5: 0x0000000100adc32d libIccXML2.2.dylib`CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseText(pBuf=0x0000625000007900, nSize=4096, szText="") at IccUtilXml.cpp:1003:10
frame #6: 0x0000000100addcf9 libIccXML2.2.dylib`CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseTextArrayNum(this=0x00007ff7bfefb4e0, szText=" 0 20 40 59 79 99 119 139 158 178 198 218 238 257 277 297\n 317 336 356 376 396 416 435 455 475 495 515 534 554 574 594 614\n 633 653 673 693 713 732 752 772 792 812 831 851 871 891 911 930\n 950 970 990 1009 1029 1049 1069 1089 1108 1128 1148 1168 1188 1207 1227 1247\n 1267 1287 1306 1326 1346 1366 1386 1405 1425 1445 1465 1485 1504 1524 1544 1564\n 1584 1603 1623 1643 1663 1683 1703 1722 1742 1762 1782 1802 1822 1842 1862 1881\n 1901 1921 1941 1961 1981 2001 2021 2041 2060 2080 2100 2120 2140 2160 2179 2199\n 2219 2239 2259 2278 2298 2318 2337 2357 2377 2396 2416 2435 2455 2474 2494 2513\n 2533 2552 2572 2591 2611 2630 2650 2669 2689 2708 2727 2747 2766 2786 2805 2824\n 2844 2863 2883 2902 2921 2941 2960 2979 2999 3018 "..., num=27135, parseStr="") at IccUtilXml.cpp:821:12
frame #7: 0x00000001009e6460 libIccXML2.2.dylib`CIccSinglSampledeCurveXml::ParseXml(this=0x0000606000005c00, pNode=0x000060c00000be00, parseStr="") at IccMpeXml.cpp:646:19
frame #8: 0x00000001009ec27e libIccXML2.2.dylib`CIccMpeXmlCurveSet::ParseXml(this=0x0000604000001450, pNode=0x000060c00000be00, parseStr="") at IccMpeXml.cpp:986:22
frame #9: 0x0000000100a019f1 libIccXML2.2.dylib`CIccMpeXmlCalculator::ParseImport(this=0x0000612000000340, pNode=0x000060c00000b500, importPath="*", parseStr="") at IccMpeXml.cpp:2180:26
frame #10: 0x0000000100a14906 libIccXML2.2.dylib`CIccMpeXmlCalculator::ParseXml(this=0x0000612000000340, pNode=0x000060c00000b500, parseStr="") at IccMpeXml.cpp:2697:8
frame #11: 0x0000000100aa2dc8 libIccXML2.2.dylib`CIccTagXmlMultiProcessElement::ParseElement(this=0x0000607000000330, pNode=0x000060c00000b500, parseStr="") at IccTagXml.cpp:3997:20
frame #12: 0x0000000100aa402f libIccXML2.2.dylib`CIccTagXmlMultiProcessElement::ParseXml(this=0x0000607000000330, pNode=0x000060c00000b200, parseStr="") at IccTagXml.cpp:4057:12
frame #13: 0x0000000100a5421f libIccXML2.2.dylib`CIccProfileXml::ParseTag(this=0x00007ff7bfeff120, pNode=0x000060c00000ae40, parseStr="") at IccProfileXml.cpp:700:20
frame #14: 0x0000000100a55a6f libIccXML2.2.dylib`CIccProfileXml::ParseXml(this=0x00007ff7bfeff120, pNode=0x000060c000007cc0, parseStr="") at IccProfileXml.cpp:801:12
frame #15: 0x0000000100a55f60 libIccXML2.2.dylib`CIccProfileXml::LoadXml(this=0x00007ff7bfeff120, szFilename="17ChanWithSpots-MVIS.xml", szRelaxNGDir="", parseStr="") at IccProfileXml.cpp:858:13
frame #16: 0x0000000100007044 iccFromXML`main(argc=3, argv=0x00007ff7bfeff7f0) at IccFromXml.cpp:68:18
frame #17: 0x00007ff8075e23a6 dyld`start + 1942
(lldb) fr se 5
frame #5: 0x0000000100adc32d libIccXML2.2.dylib`CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseText(pBuf=0x0000625000007900, nSize=4096, szText="") at IccUtilXml.cpp:1003:10
1000 bool bInNum = false;
1001 char num[256];
1002
-> 1003 while (*szText && n<nSize) {
1004 if (icIsNumChar(*szText)) {
1005 if (!bInNum) {
1006 bInNum = true;
(lldb) fr va
(unsigned short *) pBuf = 0x0000625000007900
(icUInt32Number) nSize = 4096
(const char *) szText = 0x000062b000006bff ""
(icUInt32Number) n = 4096
(icUInt32Number) b = 5
(bool) bInNum = false
(char[256]) num = "65535\0\0\0\xa03\xf7J\xf8\U0000007f\0\0\n\0\0\0\0\0\0\0\U00000002\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xff\xff\xff\xff\0\0\0\0\U00000001\0\0\00B\xf9\U00000001\U00000001\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\xf0\xb1\xef\xbf\xf7\U0000007f\0\0\x92\0\xf7\U00000001\U00000001\0\0\0\0\0\0\0\0\0\0\0\xe0Y\0\00`\0\0`\xb2\xef\xbf\xf7\U0000007f\0\0\x83T\xe8\U00000001\U00000001\0\0\0\0\0\0\0\0\0\0\0\U00000001\0\0\0\n\0\0\0P\xb2\xef\xbf\xf7\U0000007f\0\0\xa9\U00000015\xaf\0\U00000001\0\0\0\xa0\xb2\xef\xbf\xf7\U0000007f\0\0g\0\x82\a\xf8\U0000007f\0\U00000001\xcc\U0000001c\U0000001cI\xf8\U0000007f\0\0\U00000006\0\0\U00000001\xb4\x81\U00000001\0\0@\0\0\0\0\0\0@\xb3\xef\xbf\n\0\0\0p\xb2\xef\xbf\xf7\U0000007f\0\0z\xa3\xad\0\U00000001\0\0\0Pf\0\0\U00000001\0\0\0`\xf7\xef\xbf\n\0\0\0 \xb4\xef\xbf\xf7\U0000007f\0\04ͭ\0\U00000001"
(lldb) re re
General Purpose Registers:
rbx = 0x00007ff7bfefb2c0
rbp = 0x00007ff7bfefb420
rsp = 0x00007ff7bfefb160
r12 = 0x00007ff7bfeff5e0
r13 = 0x0000000000000000
r14 = 0x0000000100006650 iccFromXML`main at IccFromXml.cpp:15
r15 = 0x00007ff7bfeff760
rip = 0x0000000100adc32d libIccXML2.2.dylib`CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseText(unsigned short*, unsigned int, char const*) + 477 at IccUtilXml.cpp:1003:10
13 registers were unavailable.
(lldb) dis -s $pc-32 -c 24
libIccXML2.2.dylib`CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseText:
0x100adc30d <+445>: addb %cl, -0x75(%rax)
0x100adc310 <+448>: xorl $-0x7d, 0x48000000(%rax)
0x100adc317 <+455>: loopne 0x100adc320 ; <+464> at IccUtilXml.cpp:1003:10
0x100adc319 <+457>: cmpb %cl, %al
0x100adc31b <+459>: jl 0x100adc32f ; <+479> at IccUtilXml.cpp
0x100adc321 <+465>: movq 0xb0(%rbx), %rdi
0x100adc328 <+472>: callq 0x100af7a05 ; symbol stub for: __asan_report_load1
-> 0x100adc32d <+477>: ud2
0x100adc32f <+479>: movq 0xb0(%rbx), %rcx
0x100adc336 <+486>: xorl %eax, %eax
0x100adc338 <+488>: cmpb $0x0, (%rcx)
0x100adc33b <+491>: movb %al, 0xaf(%rbx)
0x100adc341 <+497>: je 0x100adc39f ; <+591> at IccUtilXml.cpp
0x100adc347 <+503>: movq 0x57b6a(%rip), %rax ; __profc__ZN16CIccXmlArrayTypeItL18icTagTypeSignature1969828150EE9ParseTextEPtjPKc + 16
0x100adc34e <+510>: addq $0x1, %rax
0x100adc352 <+514>: movq %rax, 0x57b5f(%rip) ; __profc__ZN16CIccXmlArrayTypeItL18icTagTypeSignature1969828150EE9ParseTextEPtjPKc + 16
0x100adc359 <+521>: movl 0x104(%rbx), %eax
0x100adc35f <+527>: cmpl 0x114(%rbx), %eax
0x100adc365 <+533>: setb %al
0x100adc368 <+536>: movb %al, 0xae(%rbx)
0x100adc36e <+542>: testb $0x1, %al
0x100adc370 <+544>: movb %al, 0xaf(%rbx)
0x100adc376 <+550>: jne 0x100adc381 ; <+561> at IccUtilXml.cpp
0x100adc37c <+556>: jmp 0x100adc39f ; <+591> at IccUtilXml.cpp
(lldb) fr se 6
frame #6: 0x0000000100addcf9 libIccXML2.2.dylib`CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseTextArrayNum(this=0x00007ff7bfefb4e0, szText=" 0 20 40 59 79 99 119 139 158 178 198 218 238 257 277 297\n 317 336 356 376 396 416 435 455 475 495 515 534 554 574 594 614\n 633 653 673 693 713 732 752 772 792 812 831 851 871 891 911 930\n 950 970 990 1009 1029 1049 1069 1089 1108 1128 1148 1168 1188 1207 1227 1247\n 1267 1287 1306 1326 1346 1366 1386 1405 1425 1445 1465 1485 1504 1524 1544 1564\n 1584 1603 1623 1643 1663 1683 1703 1722 1742 1762 1782 1802 1822 1842 1862 1881\n 1901 1921 1941 1961 1981 2001 2021 2041 2060 2080 2100 2120 2140 2160 2179 2199\n 2219 2239 2259 2278 2298 2318 2337 2357 2377 2396 2416 2435 2455 2474 2494 2513\n 2533 2552 2572 2591 2611 2630 2650 2669 2689 2708 2727 2747 2766 2786 2805 2824\n 2844 2863 2883 2902 2921 2941 2960 2979 2999 3018 "..., num=27135, parseStr="") at IccUtilXml.cpp:821:12
818 if (n) {
819 if (!SetSize(n))
820 return false;
-> 821 return ParseText(m_pBuf, m_nSize, szText)==m_nSize;
822 }
823
824 return false;
(lldb) fr va
(CIccXmlArrayType<unsigned short, icSigUInt16ArrayType> *) this = 0x00007ff7bfefb4e0
(const char *) szText = 0x000062b000000200 " 0 20 40 59 79 99 119 139 158 178 198 218 238 257 277 297\n 317 336 356 376 396 416 435 455 475 495 515 534 554 574 594 614\n 633 653 673 693 713 732 752 772 792 812 831 851 871 891 911 930\n 950 970 990 1009 1029 1049 1069 1089 1108 1128 1148 1168 1188 1207 1227 1247\n 1267 1287 1306 1326 1346 1366 1386 1405 1425 1445 1465 1485 1504 1524 1544 1564\n 1584 1603 1623 1643 1663 1683 1703 1722 1742 1762 1782 1802 1822 1842 1862 1881\n 1901 1921 1941 1961 1981 2001 2021 2041 2060 2080 2100 2120 2140 2160 2179 2199\n 2219 2239 2259 2278 2298 2318 2337 2357 2377 2396 2416 2435 2455 2474 2494 2513\n 2533 2552 2572 2591 2611 2630 2650 2669 2689 2708 2727 2747 2766 2786 2805 2824\n 2844 2863 2883 2902 2921 2941 2960 2979 2999 3018 "...
(icUInt32Number) num = 27135
(std::string &) parseStr = ""
(icUInt32Number) n = 4096
(lldb) re re
General Purpose Registers:
rbx = 0x00007ff7bfefb580
rbp = 0x00007ff7bfefb490
rsp = 0x00007ff7bfefb430
r12 = 0x00007ff7bfeff5e0
r13 = 0x0000000000000000
r14 = 0x0000000100006650 iccFromXML`main at IccFromXml.cpp:15
r15 = 0x00007ff7bfeff760
rip = 0x0000000100addcf9 libIccXML2.2.dylib`CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseTextArrayNum(char const*, unsigned int, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) + 297 at IccUtilXml.cpp:821:12
13 registers were unavailable.
(lldb) dis -s $pc-32 -c 24
libIccXML2.2.dylib`CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseTextArrayNum:
0x100addcd9 <+265>: addb %al, (%rax)
0x100addcdb <+267>: movq -0x38(%rbp), %rdi
0x100addcdf <+271>: callq 0x100af7a17 ; symbol stub for: __asan_report_load4
0x100addce4 <+276>: ud2
0x100addce6 <+278>: movq -0x38(%rbp), %rax
0x100addcea <+282>: movq -0x50(%rbp), %rdi
0x100addcee <+286>: movl (%rax), %esi
0x100addcf0 <+288>: movq -0x18(%rbp), %rdx
0x100addcf4 <+292>: callq 0x100af6ee9 ; symbol stub for: CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseText(unsigned short*, unsigned int, char const*)
-> 0x100addcf9 <+297>: movl %eax, %ecx
0x100addcfb <+299>: movq -0x38(%rbp), %rax
0x100addcff <+303>: movl %ecx, -0x58(%rbp)
0x100addd02 <+306>: shrq $0x3, %rax
0x100addd06 <+310>: movabsq $0x100000000000, %rcx ; imm = 0x100000000000
0x100addd10 <+320>: orq %rcx, %rax
0x100addd13 <+323>: movb (%rax), %al
0x100addd15 <+325>: movb %al, -0x51(%rbp)
0x100addd18 <+328>: cmpb $0x0, %al
0x100addd1a <+330>: je 0x100addd42 ; <+370> at IccUtilXml.cpp
0x100addd20 <+336>: movb -0x51(%rbp), %cl
0x100addd23 <+339>: movq -0x38(%rbp), %rax
0x100addd27 <+343>: andq $0x7, %rax
0x100addd2b <+347>: addq $0x3, %rax
0x100addd2f <+351>: cmpb %cl, %al
Clang Static Analyzer Report****Logic error
Assigned value is garbage or undefined 2
Called C++ object pointer is null 3
Dereference of null pointer 13
Garbage return value 1
Result of operation is garbage or undefined 4
Uninitialized argument value 6
Unix API 4
Memory error
Bad deallocator 7
Double free 2
Memory leak 10
Use-after-free 8
Unix API
Allocator sizeof operand mismatch 1
Unused code
Dead assignment 28
Dead increment 3
Dead initialization 20
Dead nested assignment 1
Knowledgebase
https://bugs.chromium.org/p/project-zero/issues/detail?id=2225
https://bugs.chromium.org/p/project-zero/issues/detail?id=2226
https://srd.cx/cve-2022-26730/
https://srd.cx/cve-2023-32443/
Clang Static Analyzer Report https://xss.cx/2023/10/29/src/demomax-clang-static-analysis/
Pull Request #53
icFixXml function [CVE-2023-46602]
CIccPRMG::GetChroma function [CVE-2023-46603]
Related news
In International Color Consortium DemoIccMAX 79ecb74, there is an out-of-bounds read in the CIccPRMG::GetChroma function in IccProfLib/IccPrmg.cpp in libSampleICC.a.
In International Color Consortium DemoIccMAX 79ecb74, there is an out-of-bounds read in the CIccPRMG::GetChroma function in IccProfLib/IccPrmg.cpp in libSampleICC.a.
In International Color Consortium DemoIccMAX 79ecb74, there is an out-of-bounds read in the CIccPRMG::GetChroma function in IccProfLib/IccPrmg.cpp in libSampleICC.a.
This issue was addressed with improved state management of S/MIME encrypted emails. This issue is fixed in macOS Monterey 12.6.8. A S/MIME encrypted email may be inadvertently sent unencrypted.
The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5. A user may be able to elevate privileges.
The issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.6.8, macOS Ventura 13.5, macOS Big Sur 11.7.9. Processing a file may lead to unexpected app termination or arbitrary code execution.
Apple Security Advisory 2023-07-24-6 - macOS Big Sur 11.7.9 addresses code execution, out of bounds read, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-5 - macOS Monterey 12.6.8 addresses code execution, out of bounds read, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-4 - macOS Ventura 13.5 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.
A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.