Skip to content

Fix: CIccTagLut16::Read() UB #223

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
xsscx merged 26 commits into from
Nov 24, 2025
Merged

Fix: CIccTagLut16::Read() UB #223

xsscx merged 26 commits into from
Nov 24, 2025
+3 −3

Conversation

@ChrisCoxArt
Copy link
Contributor

@ChrisCoxArt ChrisCoxArt commented Nov 24, 2025

Fixes #213

@ChrisCoxArt
Fix 300+ compiler warnings and errors, only 3033 to go!
fd3bb44 
Lots of unused parameters and variables
More than a few values set but never used
Lots of bad switch() statements that don't have a default or use all enum values
Lots of bad cases using values that are not part of the enum
Lots of sprintf without length check!
The actual errors are difficult to see among all the warning noise.
@ChrisCoxArt
Another 300+ warnings fixed, plus a few obvious bugs
44bf11b 
spectral m_Range was never copied correctly, code probably needs more test cases.
@ChrisCoxArt
another 400 or so warnings, plus a few bugs and dead code
a6908ba
@ChrisCoxArt
warnings and simple bug fixes
cf56107 
sigh, someone played fast and loose with buffer management.
Need to make sure sizes are passed in, or std::string is used (slow, but less error prone)
@ChrisCoxArt
under 1000 warnings left
6e6ec26 
and I need to check in these changes before I grab dinner
@ChrisCoxArt
another batch of fixes, now down to 462 warnings
8e6d57f
@ChrisCoxArt
down to 435 warnings, what remains are not as simple to fix
cabbbce 
more of the same errors and deprecated functions, unused parameters and variables, etc.
@ChrisCoxArt
refactor file IO to use size_t
66a1d27 
Also update several utility functions, for safety.
It still isn't 64 bit file offset ready for ICC profiles, but at least we get rid of a ton of casting errors and warnings, and are more likely to catch overflows.
@ChrisCoxArt
fixing up enum abuse
2baa4b2 
Down to 87 warnings (after fileIO refactor also applied)
@ChrisCoxArt
fix switch/case fallthrough warnings
8678c71
@ChrisCoxArt
fix shadowed variables
cdecd46 
fix a bunch of variables shadowing local variables
That sort of code always get confused.
Try to fix some macros that caused shadow variables, add notes to eventually remove those macros.
@ChrisCoxArt
Merge branch 'InternationalColorConsortium:master' into master
1ec06e4
@ChrisCoxArt
Merge pull request #1 from ChrisCoxArt/FileIORefactor
4548fb9 
refactor file IO to use size_t
@ChrisCoxArt
Merge branch 'InternationalColorConsortium:master' into master
d961c12
@ChrisCoxArt
Merge pull request #2 from ChrisCoxArt/enum-cleanup
dc0501c 
fixing up enum abuse
@ChrisCoxArt
more fallthrough fixes
7d3cda1
@ChrisCoxArt
fix simple virtual override hide warnings
d36370c
@ChrisCoxArt
fix the last virtual hidden override warnings
571d132
@ChrisCoxArt
fix sprintf formatting for size_t hex output
684a10e
@ChrisCoxArt
fix two more virtual override hides warning
da56e39
@ChrisCoxArt
Merge branch 'master' of https://github.com/ChrisCoxArt/iccDEV
a24cc52
@ChrisCoxArt
replace deprecated codecvt usage
8daf677 
Not yet tested properly, because I can't find a profile that hits that code path
@ChrisCoxArt
document the C++17 requirement
6d13263 
It was previously only noted in the CMake files.
@ChrisCoxArt
Merge branch 'master' into master
176f665
@ChrisCoxArt
add check of count before reading into curve data
ccd0526 
Fix InternationalColorConsortium#213
@ChrisCoxArt
Merge branch 'InternationalColorConsortium:master' into CIccTagLut16_…
4b2cbf6 
…Read_Fix
@xsscx xsscx self-assigned this Nov 24, 2025
@xsscx xsscx added Bug Bug Report PR Pull Request Review in Process PR being Reviewed by Maintainers labels Nov 24, 2025
@xsscx xsscx self-requested a review November 24, 2025 01:11
@xsscx xsscx added the ci label Nov 24, 2025
@xsscx xsscx changed the title Cicctaglut16 read fix Fix: CIccTagLut16::Read() UB Nov 24, 2025
xsscx
xsscx approved these changes Nov 24, 2025
View reviewed changes
Copy link
Member

@xsscx xsscx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR223 Repro

Reported in #213

Host

Last Updated: Sun Nov 23 08:17:42 PM EST 2025

Linux 6.6.87.2-microsoft-standard-WSL2 #1 SMP PREEMPT_DYNAMIC Thu Jun  5 18:30:46 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Verify PR223 Source

git status
On branch pr-223

git log
commit 4b2cbf6e1ae94b30d4cb4cfe23e91780b3ec2f21 (HEAD -> pr-223)
Merge: ccd0526 b34b7b2
Author: Chris Cox <ccox@comcast.net>
Date:   Sun Nov 23 17:08:27 2025 -0800

    Merge branch 'InternationalColorConsortium:master' into CIccTagLut16_Read_Fix

PR Configure, Build & Test

git clone https://github.com/InternationalColorConsortium/iccDEV.git
cd iccDEV
git fetch origin pull/223/head:pr-223
git checkout pr-223
cd Build
cmake -DCMAKE_EXPORT_COMPILE_COMMANDS=ON -DCMAKE_BUILD_TYPE=Debug -DCMAKE_CXX_FLAGS="-g -fsanitize=address,undefined -fno-omit-frame-pointer" -Wno-dev Cmake/
make -j$(nproc)
        cd ../Testing/
        echo "=== Updating PATH ==="
         for d in ../Build/Tools/*; do
          [ -d "$d" ] && export PATH="$(realpath "$d"):$PATH"
         done 
wget https://github.com/xsscx/Commodity-Injection-Signatures/raw/refs/heads/master/graphics/icc/Argyll_V302_null_byte_read-icmTable_setup_bwd-cve-2023-46867-variant-argyle-001.icc
iccDumpProfile -v Argyll_V302_null_byte_read-icmTable_setup_bwd-cve-2023-46867-variant-argyle-001.icc

Expected Output

Built with IccProfLib version 2.3.1

Unable to parse 'Argyll_V302_null_byte_read-icmTable_setup_bwd-cve-2023-46867-variant-argyle-001.icc' as ICC profile!

Validation Report
-----------------
Profile has Critical Error(s) that violate ICC specification

NonCompliant! - Bad Profile ID
Error! -  - AToB0Tag - Tag has invalid structure!
Error! -  - BToA0Tag - Tag has invalid structure!
Error! -  - AToB0Tag - Tag has invalid structure!
Error! -  - AToB2Tag - Tag has invalid structure!

EXIT -1

@xsscx xsscx added Merged Merged ci and removed Bug Bug Report Review in Process PR being Reviewed by Maintainers ci cpp-source labels Nov 24, 2025
@xsscx xsscx merged commit f1fe42a into InternationalColorConsortium:master Nov 24, 2025
@ChrisCoxArt ChrisCoxArt deleted the CIccTagLut16_Read_Fix branch November 24, 2025 02:10
@xsscx xsscx added the Security Security Related label Nov 25, 2025
@xsscx
Copy link
Member

xsscx commented Jan 3, 2026

GHSA-c3xr-6687-5c8p

@xsscx xsscx added the CVE Requested Maintainer indicates a CVE has been Requested label Jan 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xsscx xsscx xsscx approved these changes

Assignees

@xsscx xsscx

Labels

CVE Requested Maintainer indicates a CVE has been Requested Merged Merged PR Pull Request Security Security Related

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Known Defect: IccTagLut.h:142 | runtime error: reference binding to null pointer of type 'icFloatNumber' (aka 'float')

2 participants

@ChrisCoxArt @xsscx