Skip to content

NPD in CIccTagLut16::Write() at IccTagLut.cpp:5361 #702

Closed
Bug
#728
Closed
NPD in CIccTagLut16::Write() at IccTagLut.cpp:5361#702
Bug
#728
Assignees
ChrisCoxArt
Labels
TriagedMaintainer indicates triaged status and ready for developer handoffaflAFL++ Related Issue
@xsscx

Description

@xsscx
xsscx
opened on Mar 18, 2026

Maintainer Repro

2026-03-18 17:42:13 UTC

Git

4df1fe0 (HEAD -> master, origin/master, origin/HEAD) Fix: Init in iccV5DspObsToV4Dsp (#695)

git checkout -- . && git --no-pager diff --stat HEAD
git clone https://github.com/InternationalColorConsortium/iccDEV.git
cd iccDEV/Build
export CXX=clang++ && export CXXFLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer -g -O1 -fprofile-arcs -ftest-coverage" && export LDFLAGS="-fsanitize=address,undefined -fprofile-arcs" && cmake Cmake -DCMAKE_BUILD_TYPE=Debug -DENABLE_ASAN=ON -DENABLE_UBSAN=ON -DENABLE_COVERAGE=ON -DENABLE_TOOLS=ON
make -j32
        cd ../Testing/
        echo "=== Updating PATH ==="
         for d in ../Build/Tools/*; do
          [ -d "$d" ] && export PATH="$(realpath "$d"):$PATH"
         done
wget https://github.com/xsscx/fuzz/raw/refs/heads/master/graphics/tif/npd-CIccTagLut16-Write-IccTagLut_cpp-Line5361.icc
iccTiffDump npd-CIccTagLut16-Write-IccTagLut_cpp-Line5361.icc foo.bar

PoC Output

2026-03-18 13:41:24 (31.7 MB/s) - ‘npd-CIccTagLut16-Write-IccTagLut_cpp-Line5361.icc’ saved [3840/3840]
...
TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and calculating from imagelength.
-------------------->Tiff Image Dump<---------------------------
Filename:          npd-CIccTagLut16-Write-IccTagLut_cpp-Line5361.icc
Size:              (4 x 4) pixels, (inf" x inf")
Planar:            Interleaved samples
BitsPerSample:     8
SamplesPerPixel:   4
ExtraSamples:      1
Photometric:       RGB
BytesPerLine:      16
Resolution:        (0.000000 x 0.000000) pixels per/inch
Compression:       None
Profile:           Embedded
ICC profile saved to: outtiff.icc
 Version:          5.00
 Color Space:      0xBColorData
 Colorimetric PCS: Unknown 'XY? ' = 5859A320
IccTagLut.h:142:59: runtime error: reference binding to null pointer of type 'icFloatNumber' (aka 'float')
    #0 0x7f4930f6bcbf in CIccTagCurve::operator[](unsigned int) IccTagLut.h:142:52
    #1 0x7f49312a7980 in CIccTagLut16::Write(CIccIO*) IccTagLut.cpp:5361:32
    #2 0x7f49310d0d7b in CIccProfile::Write(CIccIO*, icProfileIDSaveMethod) IccProfile.cpp:1066:18
    #3 0x7f49310f2edb in SaveIccProfile(char const*, CIccProfile*, icProfileIDSaveMethod) IccProfile.cpp:3855:14
    #4 0x580e0ecd99a0 in main iccTiffDump.cpp:237:13
    #5 0x7f493042a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #6 0x7f493042a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #7 0x580e0ebfb654 in _start (iccTiffDump+0x35654) (BuildId: ce33b61181adc72405bc52ca548bf2ecbe2bc00d)

Metadata

Metadata

Assignees

Labels

TriagedMaintainer indicates triaged status and ready for developer handoffaflAFL++ Related Issue

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions