Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-46867: Bugs from Fuzzing · Issue #54 · InternationalColorConsortium/DemoIccMAX

In International Color Consortium DemoIccMAX 79ecb74, CIccXformMatrixTRC::GetCurve in IccCmm.cpp in libSampleICC.a has a NULL pointer dereference.

CVE
#xss#vulnerability#apple#c++#buffer_overflow#chrome

Bug 1 - Heap Buffer Overflow in CIccCLUT::Interp3d

Severity: Reference Implementation | High

Description

A heap buffer overflow has been identified in the CIccCLUT::Interp3d method. This vulnerability can lead to potential crashes or undefined behavior when certain conditions are met.

Steps to Reproduce

Utilize the CIccCLUT::Interp3d method on a CIccCLUT object under conditions where m_nNumPoints * m_nOutput equals 0.
Attempt to access indices beyond the allocated size of the m_pData array.

Debug Session

(lldb) fr se 5
frame #5: 0x0000000100e8c982 libIccProfLib2.2.dylib`CIccCLUT::Interp3d(this=0x0000614000000440, destPixel=0x00007ff7bfefde80, srcPixel=0x00007ff7bfefde80) const at IccTagLut.cpp:2594:27
   2591                return;
   2592            }
   2593
-> 2594            destPixel[i] = p[n000] * dF0 + p[n001] * dF1 + p[n010] * dF2 + p[n011] * dF3 +
   2595                           p[n100] * dF4 + p[n101] * dF5 + p[n110] * dF6 + p[n111] * dF7;
   2596        }
   2597    }
(lldb) frame variable
(CIccCLUT *) this = 0x0000614000000440
(icFloatNumber *) destPixel = 0x00007ff7bfefde80
(const icFloatNumber *) srcPixel = 0x00007ff7bfefde80
(icUInt8Number) mx = '\xff'
(icUInt8Number) my = '\xff'
(icUInt8Number) mz = '\xff'
(icFloatNumber) x = 0
(icFloatNumber) y = 0
(icFloatNumber) z = 0
(icUInt32Number) ix = 0
(icUInt32Number) iy = 0
(icUInt32Number) iz = 0
(icFloatNumber) u = 0
(icFloatNumber) t = 0
(icFloatNumber) s = 0
(icFloatNumber) ns = 1
(icFloatNumber) nt = 1
(icFloatNumber) nu = 1
(icFloatNumber) dF0 = 1
(icFloatNumber) dF1 = 0
(icFloatNumber) dF2 = 0
(icFloatNumber) dF3 = 0
(icFloatNumber) dF4 = 0
(icFloatNumber) dF5 = 0
(icFloatNumber) dF6 = 0
(icFloatNumber) dF7 = 0
(icUInt32Number) maxIndex = 50331647
(icFloatNumber *) pStart = 0x00006020000002d0
(int) i = 0
(icFloatNumber *) p = 0x00006020000002d0
(lldb) dis -s $pc-32 -c 24
libIccProfLib2.2.dylib`CIccCLUT::Interp3d:
    0x100e8c962 <+2978>: loopne 0x100e8c961               ; <+2977> at IccTagLut.cpp

Symptoms

  • The program crashes with an AddressSanitizer report indicating a heap-buffer-overflow in CIccCLUT::Interp3d.
  • The value of m_nNumPoints * m_nOutput is 0, indicating that the m_pData array might not have been allocated or is of size 0.
  • Attempts are made to access indices as high as 3 and potentially up to 50331647 (as indicated by the maxIndex variable).

Potential Causes

  • Improper initialization or setup of the CIccCLUT object.
  • Possible errors in the copy constructor or assignment operator of CIccCLUT.
    -The m_pData array might be reallocated with a different size elsewhere in the code.
    -Invalid or corrupt input data affecting the CIccCLUT object’s construction.

Bug 2 - Segmentation Fault in CIccXformMatrixTRC::GetCurve

Severity: Reference Implementation | High

Description

A segmentation fault (SEGV) has been identified in the CIccXformMatrixTRC::GetCurve method within the IccCmm.cpp file, specifically at line 5240. The crash appears to be due to a read memory access at the zero address, suggesting a potential null pointer dereference.

Steps to Reproduce

Invoke the CIccXformMatrixTRC::GetCurve method with specific input that triggers the SEGV.
The exact input causing this behavior needs further investigation.
Observe the crash due to a segmentation fault.

Crash Details

AddressSanitizer:DEADLYSIGNAL
=================================================================
==59095==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000104511cd4 bp 0x7ff7bc556550 sp 0x7ff7bc556500 T0)
==59095==The signal is caused by a READ memory access.
==59095==Hint: address points to the zero page.
    #0 0x104511cd4 in CIccXformMatrixTRC::GetCurve(unsigned int) const IccCmm.cpp:5240
    #1 0x10451107a in CIccXformMatrixTRC::Begin() IccCmm.cpp:5100
    #2 0x1045394a8 in CIccCmm::Begin(bool, bool) IccCmm.cpp:8297
    #3 0x1045905a4 in CIccEvalCompare::EvaluateProfile(CIccProfile*, unsigned char, icRenderingIntent, icXformInterp, bool) IccEval.cpp:110
    #4 0x104591419 in CIccEvalCompare::EvaluateProfile(char const*, unsigned char, icRenderingIntent, icXformInterp, bool) IccEval.cpp:197
    #5 0x1039ae0d2 in main iccRoundTrip.cpp:168
    #6 0x7ff80dee53a5 in start+0x795 (dyld:x86_64+0xfffffffffff5c3a5)

==59095==Register values:
rax = 0x0000000000000000  rbx = 0x00007ff7bc556900  rcx = 0x0000100000000000  rdx = 0x0000000000000000
rdi = 0x00007ff7bc5562c0  rsi = 0x00007ff7bc556320  rbp = 0x00007ff7bc556550  rsp = 0x00007ff7bc556500
 r8 = 0x0000604000001610   r9 = 0xf3f3f300f1f1f100  r10 = 0x00007fffffffffff  r11 = 0xffffffffffffff20
r12 = 0x00007ff7bc557590  r13 = 0x0000000000000000  r14 = 0x00000001039addb0  r15 = 0x00007ff7bc557710
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV IccCmm.cpp:5240 in CIccXformMatrixTRC::GetCurve(unsigned int) const

Symptoms

The program crashes with an AddressSanitizer report indicating a SEGV in CIccXformMatrixTRC::GetCurve.
The memory access causing the SEGV is a read operation from address 0x000000000000, which points to the zero page.
The crash occurs specifically at line IccCmm.cpp:5240.

Potential Causes

Dereferencing a null pointer or uninitialized pointer in the CIccXformMatrixTRC::GetCurve method.
An invalid curve index or parameter passed to the method, leading to out-of-bounds memory access.
Memory corruption elsewhere in the application affecting the behavior of the CIccXformMatrixTRC::GetCurve method.

Bugs 3 - 6

Bug Report: Undefined Behavior in IccTagLut.cpp and IccProfileXml.cpp

Severity: Reference Implementation | High

The UndefinedBehaviorSanitizer tool has identified multiple instances of undefined behavior within the IccTagLut.cpp and IccProfileXml.cpp files.

Bug 3 Description

File: IccTagLut.cpp
Line: 1798
Issue: Index -1 is being used to access an array of type icUInt32Number[16], which results in out-of-bounds access.

Bug 4 Description

File: IccTagLut.cpp
Line: 1799
Issue: Index -1 is being used to access an array of type icUInt8Number[16], which results in out-of-bounds access.

Bug 5 Description

File: IccProfileXml.cpp
Line: 128
Issue: Loading a value 2543294359 which is not a valid value for the type icPlatformSignature.

Bug 6 Description

File: IccProfileXml.cpp
Line: 129
Issue: Loading a value 2543294359 which is not a valid value for the type icPlatformSignature.

Bug 7

Severity: Reference Implementation | High

Description

Buffer Overflow in (icTagTypeSignature)1969828150>::ParseText(pBuf=0x0000625000007900, nSize=4096, szText="") at IccUtilXml.cpp:1003:10

This function seems to be involved in parsing text into an array type, with a specific template instantiation for unsigned short.

Variables at Crash Time:
pBuf: A pointer to the buffer where parsed data is stored.
nSize: The size of the buffer (4096).
szText: A pointer to the text being parsed.
n: Counter variable, which is also 4096 at the time of the crash.
Crash Location in Code:

The crash occurs in the loop: while (*szText && n<nSize) {.
The error indicates that when n equals nSize, the loop still attempts to read *szText, which is beyond the allocated buffer.

Steps to Reproduce****PoC

Testing % ./iccFromXML mcs/17ChanWithSpots-MVIS.xml mcs/17ChanWithSpots-MVIS.icc

Crash Details

mcs % ../iccFromXML 17ChanWithSpots-MVIS.xml 17ChanWithSpots-MVIS.icc
iccFromXML(83678,0x7ff84af6cb40) malloc: nano zone abandoned due to inability to reserve vm space.
=================================================================
==83678==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b000006bff at pc 0x0001064dc32d bp 0x7ff7ba4b2190 sp 0x7ff7ba4b2188
READ of size 1 at 0x62b000006bff thread T0
    #0 0x1064dc32c in CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseText(unsigned short*, unsigned int, char const*) IccUtilXml.cpp:1003
    #1 0x1064ddcf8 in CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseTextArrayNum(char const*, unsigned int, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccUtilXml.cpp:821
    #2 0x1063e645f in CIccSinglSampledeCurveXml::ParseXml(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccMpeXml.cpp:646
    #3 0x1063ec27d in CIccMpeXmlCurveSet::ParseXml(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccMpeXml.cpp:986
    #4 0x1064019f0 in CIccMpeXmlCalculator::ParseImport(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccMpeXml.cpp:2180
    #5 0x106414905 in CIccMpeXmlCalculator::ParseXml(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccMpeXml.cpp:2697
    #6 0x1064a2dc7 in CIccTagXmlMultiProcessElement::ParseElement(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccTagXml.cpp:3997
    #7 0x1064a402e in CIccTagXmlMultiProcessElement::ParseXml(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccTagXml.cpp:4057
    #8 0x10645421e in CIccProfileXml::ParseTag(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccProfileXml.cpp:700
    #9 0x106455a6e in CIccProfileXml::ParseXml(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccProfileXml.cpp:801
    #10 0x106455f5f in CIccProfileXml::LoadXml(char const*, char const*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*) IccProfileXml.cpp:858
    #11 0x105a50043 in main IccFromXml.cpp:68
    #12 0x7ff8075e23a5 in start+0x795 (dyld:x86_64+0xfffffffffff5c3a5)

0x62b000006bff is located 0 bytes after 27135-byte region [0x62b000000200,0x62b000006bff)
allocated by thread T0 here:
    #0 0x10796cfbd in wrap__Znam+0x7d (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0xebfbd)
    #1 0x1063e5a90 in CIccSinglSampledeCurveXml::ParseXml(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccMpeXml.cpp:582
    #2 0x1063ec27d in CIccMpeXmlCurveSet::ParseXml(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccMpeXml.cpp:986
    #3 0x1064019f0 in CIccMpeXmlCalculator::ParseImport(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccMpeXml.cpp:2180
    #4 0x106414905 in CIccMpeXmlCalculator::ParseXml(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccMpeXml.cpp:2697
    #5 0x1064a2dc7 in CIccTagXmlMultiProcessElement::ParseElement(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccTagXml.cpp:3997
    #6 0x1064a402e in CIccTagXmlMultiProcessElement::ParseXml(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccTagXml.cpp:4057
    #7 0x10645421e in CIccProfileXml::ParseTag(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccProfileXml.cpp:700
    #8 0x106455a6e in CIccProfileXml::ParseXml(_xmlNode*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccProfileXml.cpp:801
    #9 0x106455f5f in CIccProfileXml::LoadXml(char const*, char const*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*) IccProfileXml.cpp:858
    #10 0x105a50043 in main IccFromXml.cpp:68
    #11 0x7ff8075e23a5 in start+0x795 (dyld:x86_64+0xfffffffffff5c3a5)

SUMMARY: AddressSanitizer: heap-buffer-overflow IccUtilXml.cpp:1003 in CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseText(unsigned short*, unsigned int, char const*)
Shadow bytes around the buggy address:
  0x62b000006900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x62b000006980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x62b000006a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x62b000006a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x62b000006b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x62b000006b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[07]
  0x62b000006c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x62b000006c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x62b000006d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x62b000006d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x62b000006e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==83678==ABORTING
zsh: abort      ../iccFromXML 17ChanWithSpots-MVIS.xml 17ChanWithSpots-MVIS.icc

lldb session

(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = Heap buffer overflow
  * frame #0: 0x0000000101f68cc0 libclang_rt.asan_osx_dynamic.dylib`__asan::AsanDie()
    frame #1: 0x0000000101f82c5f libclang_rt.asan_osx_dynamic.dylib`__sanitizer::Die() + 175
    frame #2: 0x0000000101f66f2a libclang_rt.asan_osx_dynamic.dylib`__asan::ScopedInErrorReport::~ScopedInErrorReport() + 1178
    frame #3: 0x0000000101f661dd libclang_rt.asan_osx_dynamic.dylib`__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) + 1773
    frame #4: 0x0000000101f67328 libclang_rt.asan_osx_dynamic.dylib`__asan_report_load1 + 40
    frame #5: 0x0000000100adc32d libIccXML2.2.dylib`CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseText(pBuf=0x0000625000007900, nSize=4096, szText="") at IccUtilXml.cpp:1003:10
    frame #6: 0x0000000100addcf9 libIccXML2.2.dylib`CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseTextArrayNum(this=0x00007ff7bfefb4e0, szText="             0    20    40    59    79    99   119   139   158   178   198   218   238   257   277   297\n            317   336   356   376   396   416   435   455   475   495   515   534   554   574   594   614\n            633   653   673   693   713   732   752   772   792   812   831   851   871   891   911   930\n            950   970   990  1009  1029  1049  1069  1089  1108  1128  1148  1168  1188  1207  1227  1247\n           1267  1287  1306  1326  1346  1366  1386  1405  1425  1445  1465  1485  1504  1524  1544  1564\n           1584  1603  1623  1643  1663  1683  1703  1722  1742  1762  1782  1802  1822  1842  1862  1881\n           1901  1921  1941  1961  1981  2001  2021  2041  2060  2080  2100  2120  2140  2160  2179  2199\n           2219  2239  2259  2278  2298  2318  2337  2357  2377  2396  2416  2435  2455  2474  2494  2513\n           2533  2552  2572  2591  2611  2630  2650  2669  2689  2708  2727  2747  2766  2786  2805  2824\n           2844  2863  2883  2902  2921  2941  2960  2979  2999  3018  "..., num=27135, parseStr="") at IccUtilXml.cpp:821:12
    frame #7: 0x00000001009e6460 libIccXML2.2.dylib`CIccSinglSampledeCurveXml::ParseXml(this=0x0000606000005c00, pNode=0x000060c00000be00, parseStr="") at IccMpeXml.cpp:646:19
    frame #8: 0x00000001009ec27e libIccXML2.2.dylib`CIccMpeXmlCurveSet::ParseXml(this=0x0000604000001450, pNode=0x000060c00000be00, parseStr="") at IccMpeXml.cpp:986:22
    frame #9: 0x0000000100a019f1 libIccXML2.2.dylib`CIccMpeXmlCalculator::ParseImport(this=0x0000612000000340, pNode=0x000060c00000b500, importPath="*", parseStr="") at IccMpeXml.cpp:2180:26
    frame #10: 0x0000000100a14906 libIccXML2.2.dylib`CIccMpeXmlCalculator::ParseXml(this=0x0000612000000340, pNode=0x000060c00000b500, parseStr="") at IccMpeXml.cpp:2697:8
    frame #11: 0x0000000100aa2dc8 libIccXML2.2.dylib`CIccTagXmlMultiProcessElement::ParseElement(this=0x0000607000000330, pNode=0x000060c00000b500, parseStr="") at IccTagXml.cpp:3997:20
    frame #12: 0x0000000100aa402f libIccXML2.2.dylib`CIccTagXmlMultiProcessElement::ParseXml(this=0x0000607000000330, pNode=0x000060c00000b200, parseStr="") at IccTagXml.cpp:4057:12
    frame #13: 0x0000000100a5421f libIccXML2.2.dylib`CIccProfileXml::ParseTag(this=0x00007ff7bfeff120, pNode=0x000060c00000ae40, parseStr="") at IccProfileXml.cpp:700:20
    frame #14: 0x0000000100a55a6f libIccXML2.2.dylib`CIccProfileXml::ParseXml(this=0x00007ff7bfeff120, pNode=0x000060c000007cc0, parseStr="") at IccProfileXml.cpp:801:12
    frame #15: 0x0000000100a55f60 libIccXML2.2.dylib`CIccProfileXml::LoadXml(this=0x00007ff7bfeff120, szFilename="17ChanWithSpots-MVIS.xml", szRelaxNGDir="", parseStr="") at IccProfileXml.cpp:858:13
    frame #16: 0x0000000100007044 iccFromXML`main(argc=3, argv=0x00007ff7bfeff7f0) at IccFromXml.cpp:68:18
    frame #17: 0x00007ff8075e23a6 dyld`start + 1942
(lldb) fr se 5
frame #5: 0x0000000100adc32d libIccXML2.2.dylib`CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseText(pBuf=0x0000625000007900, nSize=4096, szText="") at IccUtilXml.cpp:1003:10
   1000   bool bInNum = false;
   1001   char num[256];
   1002
-> 1003   while (*szText && n<nSize) {
   1004       if (icIsNumChar(*szText)) {
   1005       if (!bInNum) {
   1006         bInNum = true;
(lldb) fr va
(unsigned short *) pBuf = 0x0000625000007900
(icUInt32Number) nSize = 4096
(const char *) szText = 0x000062b000006bff ""
(icUInt32Number) n = 4096
(icUInt32Number) b = 5
(bool) bInNum = false
(char[256]) num = "65535\0\0\0\xa03\xf7J\xf8\U0000007f\0\0\n\0\0\0\0\0\0\0\U00000002\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xff\xff\xff\xff\0\0\0\0\U00000001\0\0\00B\xf9\U00000001\U00000001\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\xf0\xb1\xef\xbf\xf7\U0000007f\0\0\x92\0\xf7\U00000001\U00000001\0\0\0\0\0\0\0\0\0\0\0\xe0Y\0\00`\0\0`\xb2\xef\xbf\xf7\U0000007f\0\0\x83T\xe8\U00000001\U00000001\0\0\0\0\0\0\0\0\0\0\0\U00000001\0\0\0\n\0\0\0P\xb2\xef\xbf\xf7\U0000007f\0\0\xa9\U00000015\xaf\0\U00000001\0\0\0\xa0\xb2\xef\xbf\xf7\U0000007f\0\0g\0\x82\a\xf8\U0000007f\0\U00000001\xcc\U0000001c\U0000001cI\xf8\U0000007f\0\0\U00000006\0\0\U00000001\xb4\x81\U00000001\0\0@\0\0\0\0\0\0@\xb3\xef\xbf\n\0\0\0p\xb2\xef\xbf\xf7\U0000007f\0\0z\xa3\xad\0\U00000001\0\0\0Pf\0\0\U00000001\0\0\0`\xf7\xef\xbf\n\0\0\0 \xb4\xef\xbf\xf7\U0000007f\0\04ͭ\0\U00000001"
(lldb) re re
General Purpose Registers:
       rbx = 0x00007ff7bfefb2c0
       rbp = 0x00007ff7bfefb420
       rsp = 0x00007ff7bfefb160
       r12 = 0x00007ff7bfeff5e0
       r13 = 0x0000000000000000
       r14 = 0x0000000100006650  iccFromXML`main at IccFromXml.cpp:15
       r15 = 0x00007ff7bfeff760
       rip = 0x0000000100adc32d  libIccXML2.2.dylib`CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseText(unsigned short*, unsigned int, char const*) + 477 at IccUtilXml.cpp:1003:10
13 registers were unavailable.

(lldb) dis -s $pc-32 -c 24
libIccXML2.2.dylib`CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseText:
    0x100adc30d <+445>: addb   %cl, -0x75(%rax)
    0x100adc310 <+448>: xorl   $-0x7d, 0x48000000(%rax)
    0x100adc317 <+455>: loopne 0x100adc320               ; <+464> at IccUtilXml.cpp:1003:10
    0x100adc319 <+457>: cmpb   %cl, %al
    0x100adc31b <+459>: jl     0x100adc32f               ; <+479> at IccUtilXml.cpp
    0x100adc321 <+465>: movq   0xb0(%rbx), %rdi
    0x100adc328 <+472>: callq  0x100af7a05               ; symbol stub for: __asan_report_load1
->  0x100adc32d <+477>: ud2
    0x100adc32f <+479>: movq   0xb0(%rbx), %rcx
    0x100adc336 <+486>: xorl   %eax, %eax
    0x100adc338 <+488>: cmpb   $0x0, (%rcx)
    0x100adc33b <+491>: movb   %al, 0xaf(%rbx)
    0x100adc341 <+497>: je     0x100adc39f               ; <+591> at IccUtilXml.cpp
    0x100adc347 <+503>: movq   0x57b6a(%rip), %rax       ; __profc__ZN16CIccXmlArrayTypeItL18icTagTypeSignature1969828150EE9ParseTextEPtjPKc + 16
    0x100adc34e <+510>: addq   $0x1, %rax
    0x100adc352 <+514>: movq   %rax, 0x57b5f(%rip)       ; __profc__ZN16CIccXmlArrayTypeItL18icTagTypeSignature1969828150EE9ParseTextEPtjPKc + 16
    0x100adc359 <+521>: movl   0x104(%rbx), %eax
    0x100adc35f <+527>: cmpl   0x114(%rbx), %eax
    0x100adc365 <+533>: setb   %al
    0x100adc368 <+536>: movb   %al, 0xae(%rbx)
    0x100adc36e <+542>: testb  $0x1, %al
    0x100adc370 <+544>: movb   %al, 0xaf(%rbx)
    0x100adc376 <+550>: jne    0x100adc381               ; <+561> at IccUtilXml.cpp
    0x100adc37c <+556>: jmp    0x100adc39f               ; <+591> at IccUtilXml.cpp
(lldb) fr se 6
frame #6: 0x0000000100addcf9 libIccXML2.2.dylib`CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseTextArrayNum(this=0x00007ff7bfefb4e0, szText="             0    20    40    59    79    99   119   139   158   178   198   218   238   257   277   297\n            317   336   356   376   396   416   435   455   475   495   515   534   554   574   594   614\n            633   653   673   693   713   732   752   772   792   812   831   851   871   891   911   930\n            950   970   990  1009  1029  1049  1069  1089  1108  1128  1148  1168  1188  1207  1227  1247\n           1267  1287  1306  1326  1346  1366  1386  1405  1425  1445  1465  1485  1504  1524  1544  1564\n           1584  1603  1623  1643  1663  1683  1703  1722  1742  1762  1782  1802  1822  1842  1862  1881\n           1901  1921  1941  1961  1981  2001  2021  2041  2060  2080  2100  2120  2140  2160  2179  2199\n           2219  2239  2259  2278  2298  2318  2337  2357  2377  2396  2416  2435  2455  2474  2494  2513\n           2533  2552  2572  2591  2611  2630  2650  2669  2689  2708  2727  2747  2766  2786  2805  2824\n           2844  2863  2883  2902  2921  2941  2960  2979  2999  3018  "..., num=27135, parseStr="") at IccUtilXml.cpp:821:12
   818    if (n) {
   819      if (!SetSize(n))
   820        return false;
-> 821      return ParseText(m_pBuf, m_nSize, szText)==m_nSize;
   822    }
   823
   824    return false;
(lldb) fr va
(CIccXmlArrayType<unsigned short, icSigUInt16ArrayType> *) this = 0x00007ff7bfefb4e0
(const char *) szText = 0x000062b000000200 "             0    20    40    59    79    99   119   139   158   178   198   218   238   257   277   297\n            317   336   356   376   396   416   435   455   475   495   515   534   554   574   594   614\n            633   653   673   693   713   732   752   772   792   812   831   851   871   891   911   930\n            950   970   990  1009  1029  1049  1069  1089  1108  1128  1148  1168  1188  1207  1227  1247\n           1267  1287  1306  1326  1346  1366  1386  1405  1425  1445  1465  1485  1504  1524  1544  1564\n           1584  1603  1623  1643  1663  1683  1703  1722  1742  1762  1782  1802  1822  1842  1862  1881\n           1901  1921  1941  1961  1981  2001  2021  2041  2060  2080  2100  2120  2140  2160  2179  2199\n           2219  2239  2259  2278  2298  2318  2337  2357  2377  2396  2416  2435  2455  2474  2494  2513\n           2533  2552  2572  2591  2611  2630  2650  2669  2689  2708  2727  2747  2766  2786  2805  2824\n           2844  2863  2883  2902  2921  2941  2960  2979  2999  3018  "...
(icUInt32Number) num = 27135
(std::string &) parseStr = ""
(icUInt32Number) n = 4096
(lldb) re re
General Purpose Registers:
       rbx = 0x00007ff7bfefb580
       rbp = 0x00007ff7bfefb490
       rsp = 0x00007ff7bfefb430
       r12 = 0x00007ff7bfeff5e0
       r13 = 0x0000000000000000
       r14 = 0x0000000100006650  iccFromXML`main at IccFromXml.cpp:15
       r15 = 0x00007ff7bfeff760
       rip = 0x0000000100addcf9  libIccXML2.2.dylib`CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseTextArrayNum(char const*, unsigned int, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) + 297 at IccUtilXml.cpp:821:12
13 registers were unavailable.

(lldb) dis -s $pc-32 -c 24
libIccXML2.2.dylib`CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseTextArrayNum:
    0x100addcd9 <+265>: addb   %al, (%rax)
    0x100addcdb <+267>: movq   -0x38(%rbp), %rdi
    0x100addcdf <+271>: callq  0x100af7a17               ; symbol stub for: __asan_report_load4
    0x100addce4 <+276>: ud2
    0x100addce6 <+278>: movq   -0x38(%rbp), %rax
    0x100addcea <+282>: movq   -0x50(%rbp), %rdi
    0x100addcee <+286>: movl   (%rax), %esi
    0x100addcf0 <+288>: movq   -0x18(%rbp), %rdx
    0x100addcf4 <+292>: callq  0x100af6ee9               ; symbol stub for: CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::ParseText(unsigned short*, unsigned int, char const*)
->  0x100addcf9 <+297>: movl   %eax, %ecx
    0x100addcfb <+299>: movq   -0x38(%rbp), %rax
    0x100addcff <+303>: movl   %ecx, -0x58(%rbp)
    0x100addd02 <+306>: shrq   $0x3, %rax
    0x100addd06 <+310>: movabsq $0x100000000000, %rcx     ; imm = 0x100000000000
    0x100addd10 <+320>: orq    %rcx, %rax
    0x100addd13 <+323>: movb   (%rax), %al
    0x100addd15 <+325>: movb   %al, -0x51(%rbp)
    0x100addd18 <+328>: cmpb   $0x0, %al
    0x100addd1a <+330>: je     0x100addd42               ; <+370> at IccUtilXml.cpp
    0x100addd20 <+336>: movb   -0x51(%rbp), %cl
    0x100addd23 <+339>: movq   -0x38(%rbp), %rax
    0x100addd27 <+343>: andq   $0x7, %rax
    0x100addd2b <+347>: addq   $0x3, %rax
    0x100addd2f <+351>: cmpb   %cl, %al

Clang Static Analyzer Report****Logic error

Assigned value is garbage or undefined 2
Called C++ object pointer is null 3
Dereference of null pointer 13
Garbage return value 1
Result of operation is garbage or undefined 4
Uninitialized argument value 6
Unix API 4

Memory error

Bad deallocator 7
Double free 2
Memory leak 10
Use-after-free 8

Unix API

Allocator sizeof operand mismatch 1

Unused code

Dead assignment 28
Dead increment 3
Dead initialization 20
Dead nested assignment 1

Knowledgebase

https://bugs.chromium.org/p/project-zero/issues/detail?id=2225
https://bugs.chromium.org/p/project-zero/issues/detail?id=2226
https://srd.cx/cve-2022-26730/
https://srd.cx/cve-2023-32443/
Clang Static Analyzer Report https://xss.cx/2023/10/29/src/demomax-clang-static-analysis/
Pull Request #53
icFixXml function [CVE-2023-46602]
CIccPRMG::GetChroma function [CVE-2023-46603]

Related news

CVE-2023-46603: Patches for stack buffer overflow at the icFixXml and global buffer overflow in the CIccPRMG::GetChroma functions by xsscx · Pull Request #53 · InternationalColorConsortium/DemoIccMAX

In International Color Consortium DemoIccMAX 79ecb74, there is an out-of-bounds read in the CIccPRMG::GetChroma function in IccProfLib/IccPrmg.cpp in libSampleICC.a.

CVE-2023-46603: Patches for stack buffer overflow at the icFixXml and global buffer overflow in the CIccPRMG::GetChroma functions by xsscx · Pull Request #53 · InternationalColorConsortium/DemoIccMAX

In International Color Consortium DemoIccMAX 79ecb74, there is an out-of-bounds read in the CIccPRMG::GetChroma function in IccProfLib/IccPrmg.cpp in libSampleICC.a.

CVE-2023-46603: Patches for stack buffer overflow at the icFixXml and global buffer overflow in the CIccPRMG::GetChroma functions by xsscx · Pull Request #53 · InternationalColorConsortium/DemoIccMAX

In International Color Consortium DemoIccMAX 79ecb74, there is an out-of-bounds read in the CIccPRMG::GetChroma function in IccProfLib/IccPrmg.cpp in libSampleICC.a.

CVE-2023-40440: About the security content of macOS Monterey 12.6.8

This issue was addressed with improved state management of S/MIME encrypted emails. This issue is fixed in macOS Monterey 12.6.8. A S/MIME encrypted email may be inadvertently sent unencrypted.

CVE-2023-38410: About the security content of macOS Ventura 13.5

The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5. A user may be able to elevate privileges.

CVE-2023-36854: About the security content of macOS Big Sur 11.7.9

The issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.6.8, macOS Ventura 13.5, macOS Big Sur 11.7.9. Processing a file may lead to unexpected app termination or arbitrary code execution.

Apple Security Advisory 2023-07-24-6

Apple Security Advisory 2023-07-24-6 - macOS Big Sur 11.7.9 addresses code execution, out of bounds read, and use-after-free vulnerabilities.

Apple Security Advisory 2023-07-24-5

Apple Security Advisory 2023-07-24-5 - macOS Monterey 12.6.8 addresses code execution, out of bounds read, and use-after-free vulnerabilities.

Apple Security Advisory 2023-07-24-4

Apple Security Advisory 2023-07-24-4 - macOS Ventura 13.5 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.

CVE-2022-26730: About the security content of macOS Ventura 13

A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907