Patch: DumpLut Iterate() in IccTagLut.cpp in dumpProfile-LUT #704
Description
Maintainer Repro
2026-03-18 22:07:41 UTC
- Found while debugging dumpProfile-LUTs branch
Unpatched Build
git clone https://github.com/InternationalColorConsortium/iccDEV.git
cd iccDEV/Build
export CXX=clang++ && export CXXFLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer -g -O1 -fprofile-arcs -ftest-coverage" && export LDFLAGS="-fsanitize=address,undefined -fprofile-arcs" && cmake Cmake -DCMAKE_BUILD_TYPE=Debug -DENABLE_ASAN=ON -DENABLE_UBSAN=ON -DENABLE_COVERAGE=ON -DENABLE_TOOLS=ON
make -j32
cd ../Testing/
echo "=== Updating PATH ==="
for d in ../Build/Tools/*; do
[ -d "$d" ] && export PATH="$(realpath "$d"):$PATH"
done
wget https://github.com/xsscx/fuzz/raw/refs/heads/master/graphics/icc/BlacklightPoster_202143.icc
iccDumpProfile -v 100 BlacklightPoster_202143.icc ALL 2>/dev/null | grep -A5 "BEGIN_LUT CLUT"
Unpatched Output
BEGIN_LUT CLUT 2 3
Lab_1=17 Lab_2=17 Lab_L Lab_a Lab_b
BEGIN_LUT A_Curve_Lab_L 1 1
IN OUT
0.000 62.353
0.392 76.863
Patch
diff --git a/IccProfLib/IccTagLut.cpp b/IccProfLib/IccTagLut.cpp
index e9e9aad..17988cc 100644
--- a/IccProfLib/IccTagLut.cpp
+++ b/IccProfLib/IccTagLut.cpp
@@ -2060,7 +2060,7 @@ void CIccCLUT::Iterate(std::string &sDescription, icUInt8Number nIndex, icUInt32
int i;
for (i=0; i<m_GridPoints[nIndex]; i++) {
m_GridAdr[nIndex] = i;
- Iterate(sDescription, nIndex+1, nPos, bUseLegacy);
+ Iterate(sDescription, nIndex+1, nPos, bufSize, bUseLegacy);
nPos += m_DimSize[nIndex];
}
}
@@ -2251,6 +2251,10 @@ void CIccCLUT::DumpLut(std::string &sDescription, const icChar *szName,
memset(m_GridAdr, 0, 16);
Iterate(sDescription, 0, 0, outSize, bUseLegacy);
+
+ // Reset member pointers to avoid dangling references to stack arrays
+ m_pOutText = NULL;
+ m_pVal = NULL;
}
}
}
Build Patch
git clone https://github.com/InternationalColorConsortium/iccDEV.git
cd iccDEV
wget https://raw.githubusercontent.com/xsscx/research/refs/heads/main/cfl/patches/048-dumplut-iterate-missing-bufsize.patch
git apply 048-dumplut-iterate-missing-bufsize.patch
cd Build
export CXX=clang++ && export CXXFLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer -g -O1 -fprofile-arcs -ftest-coverage" && export LDFLAGS="-fsanitize=address,undefined -fprofile-arcs" && cmake Cmake -DCMAKE_BUILD_TYPE=Debug -DENABLE_ASAN=ON -DENABLE_UBSAN=ON -DENABLE_COVERAGE=ON -DENABLE_TOOLS=ON
make -j32
cd ../Testing/
echo "=== Updating PATH ==="
for d in ../Build/Tools/*; do
[ -d "$d" ] && export PATH="$(realpath "$d"):$PATH"
done
wget https://github.com/xsscx/fuzz/raw/refs/heads/master/graphics/icc/BlacklightPoster_202143.icc
iccDumpProfile -v 100 BlacklightPoster_202143.icc ALL 2>/dev/null | grep -A5 "BEGIN_LUT CLUT"
Patched Output
BEGIN_LUT CLUT 2 3
Lab_1=17 Lab_2=17 Lab_L Lab_a Lab_b
0.000 -128.000 0.000 -127.000 -126.000
0.000 -112.062 1.176 -124.000 -123.000
0.000 -96.125 2.353 -121.000 -120.000
0.000 -80.188 3.529 -118.000 -117.000