Update: Fix the Compile Error in IccUtil.cpp, Fix a return value in IccTagXml.cpp #66
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Change the unconditional return statement at the end of the CIccTagXmlProfileSequenceId::ParseXml function from
falsetotrue, Fixed the Compile Error in IccUtil.cpp due to integer value 4294967295 is outside the valid range of values [0, 3] for this enumeration type.This is the only code change proposed for this PR.
CVE-2024-38427 | Incorrect Function Return Value in
CIccTagXmlProfileSequenceId::ParseXmlTL;DR
A logic flaw existed in the
CIccTagXmlProfileSequenceId::ParseXmlfunction of the DemoIccMAX Project where the function unconditionally returnedfalsehas been assigned CVE-2024-38427.CVE-2024-38427
CIccTagXmlProfileSequenceId::ParseXmlCVSS 3.1 Base Score:
8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HDemoIccMAX Project Overview
The DemoIccMAX project (formally known as RefIccMAX) provides an open-source set of libraries and tools for the interaction, manipulation, and application of iccMAX-based color management profiles based on the iccMAX profile specification, as well as legacy ICC profiles defined by earlier ICC profile specifications.
Bug Details
Bug Type
CWE-253: Incorrect Check of Function Return Value
A logic flaw in the
CIccTagXmlProfileSequenceId::ParseXmlfunction of the DemoIccMAX project resulted in the unconditional return value offalse. This flaw allowed user-controllable inputs in the XML to be processed potentially leading to arbitrary code execution in the context of the user account credential. The code forCIccTagXmlProfileSequenceId::ParseXmlwas committed in 2015 with approximately 100K lines of code (LoC) and widely reused.Prior Art
Over the past 3 years there have been many similar reports of color profile processing resulting in overflow conditions and memory corruption.
PoC
Call Graph for
CIccTagXmlProfileSequenceId::ParseXmlWhen the return value is set to
falseunconditionally, theParseXmlhelper function does not complete its intended parsing process. As a result, the ICC profile is left in an incomplete or inconsistent state. Despite this, the caller proceeds with the validation process, which can lead to erroneous validation results or crashes due to incomplete or corrupt data when processing nodes.Understanding the Call Graph Nodes
The nodes in the call graph represent function calls made within CIccTagXmlProfileSequenceId::ParseXml.
Functions & Purposes:
CIccUTF16String::c_strRetrieves a C-style string from a UTF-16 string.icGetSigVal: Extracts a signature value.icXmlAttrValue: Retrieves an attribute value from an XML node.icXmlFindAttr: Finds an attribute within an XML node.icXmlFindNode: Finds a child node within an XML node.icXmlGetHexData: Converts hex data from a string to a binary format.CIccTagMultiLocalizedUnicode::SetText: Sets a localized text value.CIccLocalizedUnicode::SetText: Sets text for a localized Unicode object.Call Graph for
CIccTagXmlDict::ParseXmlWhen
ParseXmlreturnstruecorrectly, the profile is fully parsed, and tags are processed. The Validate function can assess the profile, producing meaningful warnings and errors.DemoIccMAX Documentation
Finding a Logical Flaw
Manual Code Review
Commit 889db62 was the entry point for code review. The codebase is approximately 100K lines of code, which is significant and requires a deep dive to understand the reference implementation.
I used basic command-line analysis tools like ctags and cscope with vim, and Doxygen with interactive SVG images to review the source code and call graphs. Knowing that any code utilizing
ParseXmlwould be vulnerable, I started by setting up a ctags database using:Then setup cscope database using:
Search for [
ParseXml:Contents of cscope_output.txt
Functions that Indirectly Call into
CIccTagXmlProfileSequenceId::ParseXml:CIccTagXmlProfileSequenceId::ParseXmlThe critical point is the return
false. This unconditional return value passes unsanitized XML to the caller, leading to potentially leading to arbitrary code execution in the context of the user credential. Let's examine how the code handles data with this unconditional return value and compare it to the corrected return value oftrue.Confirm
falseis incorrect unconditional return valueTaking a look at program execution flow, this is with the function
CIccTagXmlProfileSequenceId::ParseXmland the return value ==falsestepping thru the code inlldb.Key Observations:
Changed Behavior with Correct Return Value
true:When
ParseXmlreturnstruecorrectly:Complete Parsing: The profile is fully parsed, and all tags are processed correctly.
Accurate Validation: The Validate function can accurately assess the profile, producing meaningful warnings and errors.
Stability: The validation process is less likely to encounter crashes due to incomplete data structures.
Reviewing the Code References now that the unconditional return value has been corrected:
The key difference is that there are now 240 references instead of 226, indicating additional code paths are exercised with this changed return value.
CIccTagXmlProfileSequenceId::ParseXmlreturn trueConfirm
trueis correct unconditional return valueThe return value is corrected to
truein CIccTagXmlProfileSequenceId::ParseXml:Stepping through the updated code with lldb confirms the fix:
With the corrected return value of
true, the ICC profile parsing, validation, and saving processes complete successfully without errors. The program performs all necessary memory cleanup operations, preventing leaks, and new parsing errors with XML data.Analysis of XML Unit Test Errors
There are unit test errors that indicate issues with parsing specific XML elements and types.
Import and File Parsing Failures
Example: Failed to parse import
RefEstimationImport.xmlfile.Implication: The parser failed to process the entire import file, which could indicate further function in the code need review and adjustments.
Tag Member Parsing Failures
Example: Failed to parse tag member
float16NumberType.Implication: The parser encountered issues while parsing specific tag members, likely due to unsupported or incorrectly defined tag types.
Tag Parsing Failures
Example: Unable to parse
float16ArrayType (float16NumberType)tag.Implication: The parser failed to handle specific tags, which may be due to missing implementations or unsupported tag types in the current parser.
Element Parsing Failures
Example: Unable to parse element
(CalculatorElement)tag.Implication: Specific elements within the XML files could not be parsed. This could indicate the inability to process element types.
General Parsing Failures
Example: Unable to parse
CMYK-3DLUTs.xmlfile.Implication: The parser could not process the entire XML file, possibly due to logic flaws or other memory issues.
Sample Parser Output
Detailed Report
Import and File Parsing Failures
Files Affected:
RefEstimationImport.xml17ChanPart1.xml17ChanWithSpots-MVIS.xml18ChanWithSpots-MVIS.xmlCMYK-3DLUTs.xmlCMYK-3DLUTs2.xmlCMYKOGP-MVIS-Smooth.xmlISO22028-Encoded-bg-sRGB.xmlISO22028-Encoded-sRGB.xmlLaserProjector.xmlNamedColor.xmlRefDecC.xmlRefDecH.xmlRefIncW.xmlargbRef.xmlcalcExercizeOps.xmlsRgbEncodingOverrides.xmlsrgbCalc++Test.xmlsrgbCalcTest.xmlsrgbRef.xmlIssues:
Tag Member Parsing Failures
Tags Affected:
float16NumberTypefloat32NumberTypeIssues:
Tag Parsing Failures
Tags Affected:
Issues:
Element Parsing Failures
Elements Affected:
Issues:
DORKs for IccXmlLib or IccProfLib
Finding Open Source Repositories
Identifying Web Applications and Services:
Locating Documentation and Tutorials
Finding Vulnerable Instances
Observations
The use of
using convert_type = std::codecvt_utf8<wchar_t>;and its related functionality in the DemoIccMAX Project is significant and potentially non-trivial to refactor comprehensively.Details
File: DemoIccMAX-master/IccProfLib/IccTagDict.cpp:88:27
Code:
using convert_type = std::codecvt_utf8<wchar_t>;File: DemoIccMAX-master/IccProfLib/IccTagDict.cpp:216:24 'convert_type' is deprecated
Code:
std::wstring_convert<convert_type, wchar_t> converter;Knowledgebase
My Prior Research
My Current CVE's for the DemoIccMAX Project