HBO in icMemDump() at IccUtil.cpp:1002 #674
Description
Maintainer Repro
2026-03-13 13:25:39 UTC
Git
feac0229 (HEAD -> main) afl: update AFL++ 4.09c → 4.36a (built from source)
Step 1. wget https://github.com/xsscx/fuzz/raw/refs/heads/master/graphics/icc/hbo-icMemDump-IccUtil_cpp-Line1002.icc
Step 2. ASAN_OPTIONS=print_scariness=1:halt_on_error=0:abort_on_error=0:print_full_stacktrace=1:detect_leaks=0 iccDEV/Build/Tools/IccDumpProfile/iccDumpProfile -v 100 hbo-icMemDump-IccUtil_cpp-Line1002.icc ALL
PoC Output
Built with IccProfLib version 2.3.1.5
Profile: 'hbo-icMemDump-IccUtil_cpp-Line1002.icc'
Profile ID: 00000000000000000000004900000000
Size: 720 (0x2d0) bytes
Header
------
Attributes: Reflective | Glossy
Cmm: Unknown NULL
Creation Date: 0/0/0 (M/D/Y) 00:00:00
Creator: NULL
Device Manufacturer:NULL
Data Color Space: RgbData
Flags: EmbeddedProfileFalse | UseAnywhere
PCS Color Space: NoData
Platform: Unknown
Rendering Intent: Perceptual
Profile Class: ColorEncodingClass
Profile SubClass: Not Defined
Version: 5.00
Illuminant: X=0.0005, Y=0.0000, Z=0.0000
Spectral PCS: NoSpectralData
Spectral PCS Range: start=0.0nm, end=0.2nm, steps=0
BiSpectral Range: Not Defined
MCS Color Space: Not Defined
Profile Tags (3)
------------
Tag ID Offset Size Pad
---- ------ ------ ---- ---
referenceNameTag 'rfnm' 168 20 0
colorSpaceNameTag 'csnm' 188 7 9
colorEncodingParamsTag 'cept' 204 516 0
Contents of referenceNameTag tag ('rfnm' = 72666E6D)
Type: utf16Type ('ut16' = 75743136)
UTF16 Length = 5 bytes
"䥓传㈲"
Contents of colorSpaceNameTag tag ('csnm' = 63736E6D)
Type: Unknown NULL (NULL)
=================================================================
==1434234==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5020000000b4 at pc 0x7ac3a35a9b71 bp 0x7ffedbb68010 sp 0x7ffedbb68008
READ of size 1 at 0x5020000000b4 thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
#0 0x7ac3a35a9b70 in icMemDump(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, void*, unsigned long) IccProfLib/IccUtil.cpp:1002:36
#1 0x7ac3a32ad6df in CIccTagUnknown::Describe(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, int) IccProfLib/IccTagBasic.cpp:356:5
#2 0x598a2b7a49a7 in DumpTagCore(CIccTag*, icTagSignature, int) Tools/CmdLine/IccDumpProfile/iccDumpProfile.cpp:108:11
#3 0x598a2b7a4fc3 in DumpTagEntry(CIccProfile*, IccTagEntry&, int) Tools/CmdLine/IccDumpProfile/iccDumpProfile.cpp:127:3
#4 0x598a2b7af2a8 in main Tools/CmdLine/IccDumpProfile/iccDumpProfile.cpp:443:11
#5 0x7ac3a222a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x7ac3a222a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#7 0x598a2b6c86a4 in _start (Build/Tools/IccDumpProfile/iccDumpProfile+0x416a4) (BuildId: b4713588f5874fe6c697935058ebcb0e21bc6053)
0x5020000000b4 is located 1 bytes after 3-byte region [0x5020000000b0,0x5020000000b3)
allocated by thread T0 here:
#0 0x598a2b7a1c31 in operator new[](unsigned long) (Build/Tools/IccDumpProfile/iccDumpProfile+0x11ac31) (BuildId: b4713588f5874fe6c697935058ebcb0e21bc6053)
#1 0x7ac3a32ac399 in CIccTagUnknown::Read(unsigned int, CIccIO*) IccProfLib/IccTagBasic.cpp:291:15
#2 0x7ac3a33c388a in CIccTag::Read(unsigned int, CIccIO*, CIccProfile*) IccProfLib/IccTagBasic.h:193:92
#3 0x7ac3a3218af1 in CIccProfile::LoadTag(IccTagEntry*, CIccIO*, bool) IccProfLib/IccProfile.cpp:1335:14
#4 0x7ac3a322ab78 in CIccProfile::ReadValidate(CIccIO*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&) IccProfLib/IccProfile.cpp:961:10
#5 0x7ac3a326b86b in ValidateIccProfile(char const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, icValidateStatus&) IccProfLib/IccProfile.cpp:3763:19
#6 0x598a2b7a5e5d in main Tools/CmdLine/IccDumpProfile/iccDumpProfile.cpp:198:12
#7 0x7ac3a222a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#8 0x7ac3a222a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#9 0x598a2b6c86a4 in _start (Build/Tools/IccDumpProfile/iccDumpProfile+0x416a4) (BuildId: b4713588f5874fe6c697935058ebcb0e21bc6053)
SUMMARY: AddressSanitizer: heap-buffer-overflow IccProfLib/IccUtil.cpp:1002:36 in icMemDump(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, void*, unsigned long)
Shadow bytes around the buggy address:
0x501ffffffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x501ffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x501fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x501fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x502000000000: fa fa fd fd fa fa 00 fa fa fa fd fa fa fa fd fd
=>0x502000000080: fa fa 00 02 fa fa[03]fa fa fa fd fd fa fa fd fd
0x502000000100: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa 00 00
0x502000000180: fa fa 00 00 fa fa fd fa fa fa fd fa fa fa fd fa
0x502000000200: fa fa fd fa fa fa fd fd fa fa fa fa fa fa fa fa
0x502000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000000300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1434234==ABORTING