SBO in CIccPcsXform::pushXYZConvert() at IccCmm.cpp:3000 #625
Description
Maintainer Repro
2026-02-28 01:56:21 UTC
Git
186bba0 (HEAD -> master, origin/master, origin/HEAD) Fix: HBO in CIccCalculatorFunc::InitSelectOp() (#622)
Command Line
Step 3. printf "'RGB '\nicEncodeFloat\n0.5\t0.5\t0.5\n" | iccDEV/Build/Tools/IccApplyNamedCmm/iccApplyNamedCmm /dev/stdin 3 1 hbo-CIccPcsXform-pushXYZConvert-IccCmm_cpp-Line3000.icc 1 hbo-CIccPcsXform-pushXYZConvert-IccCmm_cpp-Line3000-part2.icc 1
PoC Output
[2026-02-28 01:54:58 UTC] ~/po/research (main)$ printf "'RGB '\nicEncodeFloat\n0.5\t0.5\t0.5\n" | iccDEV/Build/Tools/IccApplyNamedCmm/iccApplyNamedCmm /dev/stdin 3 1 hbo-CIccPcsXform-pushXYZConvert-IccCmm_cpp-Line3000.icc 1 hbo-CIccPcsXform-pushXYZConvert-IccCmm_cpp-Line3000-part2.icc 1
=================================================================
==150162==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000000214 at pc 0x735d4c6b6293 bp 0x7ffd98d85550 sp 0x7ffd98d85548
READ of size 4 at 0x502000000214 thread T0
#0 0x735d4c6b6292 in CIccPcsXform::pushXYZConvert(CIccXform*, CIccXform*) /home/h02332/po/research/iccDEV/IccProfLib/IccCmm.cpp:3000:56
#1 0x735d4c69f556 in CIccPcsXform::Connect(CIccXform*, CIccXform*) /home/h02332/po/research/iccDEV/IccProfLib/IccCmm.cpp:2100:23
#2 0x735d4c761e61 in CIccCmm::CheckPCSConnections(bool) /home/h02332/po/research/iccDEV/IccProfLib/IccCmm.cpp:8576:20
#3 0x735d4c793216 in CIccNamedColorCmm::Begin(bool, bool) /home/h02332/po/research/iccDEV/IccProfLib/IccCmm.cpp:10827:8
#4 0x5fdf8dd1b4e2 in main /home/h02332/po/research/iccDEV/Tools/CmdLine/IccApplyNamedCmm/iccApplyNamedCmm.cpp:397:21
#5 0x735d4b82a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x735d4b82a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#7 0x5fdf8dc3aa24 in _start (/home/h02332/po/research/iccDEV/Build/Tools/IccApplyNamedCmm/iccApplyNamedCmm+0x12da24) (BuildId: 9bc6833bdf200b01868e2abc095c17e7cfbceb27)
0x502000000214 is located 0 bytes after 4-byte region [0x502000000210,0x502000000214)
allocated by thread T0 here:
#0 0x5fdf8dcd5a5d in calloc (/home/h02332/po/research/iccDEV/Build/Tools/IccApplyNamedCmm/iccApplyNamedCmm+0x1c8a5d) (BuildId: 9bc6833bdf200b01868e2abc095c17e7cfbceb27)
#1 0x735d4c8ad69e in CIccMpeMatrix::SetSize(unsigned short, unsigned short, bool) /home/h02332/po/research/iccDEV/IccProfLib/IccMpeBasic.cpp:4993:36
#2 0x735d4c8b00af in CIccMpeMatrix::Read(unsigned int, CIccIO*) /home/h02332/po/research/iccDEV/IccProfLib/IccMpeBasic.cpp:5121:10
#3 0x735d4cd0d0da in CIccTagMultiProcessElement::Read(unsigned int, CIccIO*) /home/h02332/po/research/iccDEV/IccProfLib/IccTagMPE.cpp:1068:21
#4 0x735d4d4ee7d8 in CIccTag::Read(unsigned int, CIccIO*, CIccProfile*) /home/h02332/po/research/iccDEV/Build/Cmake/../../IccProfLib/IccTagBasic.h:193:92
#5 0x735d4c9ebcf6 in CIccProfile::LoadTag(IccTagEntry*, CIccIO*, bool) /home/h02332/po/research/iccDEV/IccProfLib/IccProfile.cpp:1335:14
#6 0x735d4c9ea58d in CIccProfile::FindTag(IccTagEntry&) /home/h02332/po/research/iccDEV/IccProfLib/IccProfile.cpp:437:5
#7 0x735d4c9ea2ae in CIccProfile::FindTag(unsigned int) /home/h02332/po/research/iccDEV/IccProfLib/IccProfile.cpp:412:12
#8 0x735d4c9eef09 in CIccProfile::FindTagOfType(unsigned int, icTagTypeSignature) /home/h02332/po/research/iccDEV/IccProfLib/IccProfile.cpp:488:19
#9 0x735d4d4fc5ba in CIccProfile::getStandardToCustomPcc() /home/h02332/po/research/iccDEV/Build/Cmake/../../IccProfLib/IccProfile.h:201:68
#10 0x735d4c6b5821 in CIccPcsXform::pushXYZConvert(CIccXform*, CIccXform*) /home/h02332/po/research/iccDEV/IccProfLib/IccCmm.cpp:2983:49
#11 0x735d4c69f556 in CIccPcsXform::Connect(CIccXform*, CIccXform*) /home/h02332/po/research/iccDEV/IccProfLib/IccCmm.cpp:2100:23
#12 0x735d4c761e61 in CIccCmm::CheckPCSConnections(bool) /home/h02332/po/research/iccDEV/IccProfLib/IccCmm.cpp:8576:20
#13 0x735d4c793216 in CIccNamedColorCmm::Begin(bool, bool) /home/h02332/po/research/iccDEV/IccProfLib/IccCmm.cpp:10827:8
#14 0x5fdf8dd1b4e2 in main /home/h02332/po/research/iccDEV/Tools/CmdLine/IccApplyNamedCmm/iccApplyNamedCmm.cpp:397:21
#15 0x735d4b82a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#16 0x735d4b82a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#17 0x5fdf8dc3aa24 in _start (/home/h02332/po/research/iccDEV/Build/Tools/IccApplyNamedCmm/iccApplyNamedCmm+0x12da24) (BuildId: 9bc6833bdf200b01868e2abc095c17e7cfbceb27)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/h02332/po/research/iccDEV/IccProfLib/IccCmm.cpp:3000:56 in CIccPcsXform::pushXYZConvert(CIccXform*, CIccXform*)
Shadow bytes around the buggy address:
0x501fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x502000000000: fa fa fd fd fa fa fd fa fa fa fd fa fa fa 00 00
0x502000000080: fa fa 00 00 fa fa 00 fa fa fa 01 fa fa fa 00 fa
0x502000000100: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x502000000180: fa fa 00 04 fa fa 00 fa fa fa 00 fa fa fa 00 04
=>0x502000000200: fa fa[04]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000000300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000000380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000000400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000000480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==150162==ABORTING