Skip to content

Fix: Type Confusion in icStatusCMM::CIccEvalCompare::EvaluateProfile() #228

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
xsscx merged 2 commits into from
Nov 25, 2025
Merged

Fix: Type Confusion in icStatusCMM::CIccEvalCompare::EvaluateProfile() #228

xsscx merged 2 commits into from
Nov 25, 2025

Conversation

@ChrisCoxArt
Copy link
Contributor

@ChrisCoxArt ChrisCoxArt commented Nov 25, 2025

Fix bad pointer cast and leaked memory. Fixes #183

@xsscx xsscx self-requested a review November 25, 2025 11:58
@xsscx xsscx self-assigned this Nov 25, 2025
@xsscx xsscx added Bug Bug Report Review in Process PR being Reviewed by Maintainers ci PR Pull Request labels Nov 25, 2025
@xsscx
Copy link
Member

xsscx commented Nov 25, 2025

Bug History

Issue 54 vs Issue 183 heap-buffer-overflow

Issue 54 at Bug 7 addressed a heap-buffer-with PoC: iccFromXML mcs/17ChanWithSpots-MVIS.xml mcs/17ChanWithSpots-MVIS.icc

Contrasted with Issue 183 with PoC: iccFromXml CMYK-3DLUTs2.xml CMYK-3DLUTs2.icc

Knowledgebase

@xsscx xsscx changed the title Issue183 Fix: Type Confusion in icStatusCMM::CIccEvalCompare::EvaluateProfile() Nov 25, 2025
xsscx
xsscx approved these changes Nov 25, 2025
View reviewed changes
Copy link
Member

@xsscx xsscx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR228 Repro

          export CXX=clang++
          git clone https://github.com/InternationalColorConsortium/iccDEV.git
          cd iccDEV
          git fetch origin pull/228/head:pr-228
          git checkout pr-228
          cd Build
          cmake -DCMAKE_INSTALL_PREFIX=$HOME/.local -DCMAKE_BUILD_TYPE=Debug -Wno-dev -DCMAKE_CXX_FLAGS="-g -fsanitize=address,undefined -fno-omit-frame-pointer -Wall" -DENABLE_TOOLS=ON -DENABLE_STATIC_LIBS=ON -DENABLE_SHARED_LIBS=ON Cmake/
          make -j$(nproc)
          cd ../Testing/
          echo "=== Updating PATH ==="
           for d in ../Build/Tools/*; do
            [ -d "$d" ] && export PATH="$(realpath "$d"):$PATH"
           done
          echo "========= BEGIN INSIDE STUB for PR228 ========="
        cd ../Testing/
        echo "=== Updating PATH ==="
         for d in ../Build/Tools/*; do
          [ -d "$d" ] && export PATH="$(realpath "$d"):$PATH"
         done 
echo "========= Create Profiles ========="
          sh CreateAllProfiles.sh
echo "========= Run Tests ========="
          sh RunTests.sh
          cd HDR
          sh mkprofiles.sh
          cd ..
          cd hybrid
          sh BuildAndTest.sh
          cd ..
          cd CalcTest
          sh checkInvalidProfiles.sh
          cd ..
          cd mcs
          sh updateprev.sh
          sh updateprevWithBkgd.sh
          cd ..
echo "========= Regression Tests ========="
          wget https://github.com/xsscx/PatchIccMAX/raw/refs/heads/re231/contrib/UnitTest/cve-2023-46602.icc
          iccDumpProfile cve-2023-46602.icc
          iccRoundTrip cve-2023-46602.icc
          wget https://github.com/xsscx/PatchIccMAX/raw/refs/heads/re231/contrib/UnitTest/icPlatformSignature-ubsan-poc.icc
          iccRoundTrip icPlatformSignature-ubsan-poc.icc
          iccDumpProfile icPlatformSignature-ubsan-poc.icc
          wget https://github.com/xsscx/PatchIccMAX/raw/refs/heads/re231/contrib/UnitTest/icSigMatrixElemType-Read-poc.icc
          iccRoundTrip icSigMatrixElemType-Read-poc.icc
          iccDumpProfile icSigMatrixElemType-Read-poc.icc
          iccToXml icSigMatrixElemType-Read-poc.icc icSigMatrixElemType-Read-poc.xml
          iccToXml icPlatformSignature-ubsan-poc.icc icPlatformSignature-ubsan-poc.xml
          iccToXml cve-2023-46602.icc cve-2023-46602.xml
          iccFromXml icSigMatrixElemType-Read-poc.xml icSigMatrixElemType-Read-rt.icc
          iccFromXml icPlatformSignature-ubsan-poc.xml icPlatformSignature-ubsan-rt.icc
          iccFromXml cve-2023-46602.xml cve-2023-46602-rt.icc
          iccRoundTrip PCC/Lab_float-D50_2deg.icc
          wget https://github.com/xsscx/Commodity-Injection-Signatures/raw/refs/heads/master/graphics/icc/Cat8Lab-D65_2degMeta.icc
          iccRoundTrip Cat8Lab-D65_2degMeta.icc    
          iccRoundTrip sRGB_v4_ICC_preference.icc
echo "========= BEGIN TEST for PR228 Type Confusion ========="
          cd PCC
          iccRoundTrip Lab_float-D50_2deg.icc
echo "========= Profile Count ========="
          find . -iname "*.icc" | wc -l
echo "========= INSIDE STUB EXIT ========="

Expected Output

========= BEGIN TEST for PR228 =========
Profile:          'Lab_float-D50_2deg.icc'
Rendering Intent: Relative Colorimetric
Specified Gamut:  Not Specified

Round Trip 1
------------
Min DeltaE:        0.00
Mean DeltaE:       0.00
Max DeltaE:        0.00

Max L, a, b:   0.000000, 0.000000, 0.000000

Round Trip 2
------------
Min DeltaE:        0.00
Mean DeltaE:       0.00
Max DeltaE:        0.00

Max L, a, b:   0.000000, 0.000000, 0.000000

PRMG Interoperability - Round Trip Results
------------------------------------------------------
DE <= 1.0 (  201613): 100.0%
DE <= 2.0 (  201613): 100.0%
DE <= 3.0 (  201613): 100.0%
DE <= 5.0 (  201613): 100.0%
DE <=10.0 (  201613): 100.0%
Total     (  201613)

The above Test indicates that PR228 resolves Issue 183 for Type Confusion and this PR will be Merged.
Thank You @ChrisCoxArt for your time & efforts!
Signed-off-by: D Hoyt xss@xss.cx

@xsscx xsscx added Merged Merged and removed Bug Bug Report ci labels Nov 25, 2025
@xsscx
Copy link
Member

xsscx commented Nov 25, 2025

Status

Tue Nov 25 10:00:02 AM EST 2025

  • Seasoning up to 6 hours to permit additional Comments & Feedback
  • This a priority security patch to Merge

@xsscx xsscx added Security Security Related Merged Merged and removed Merged Merged Review in Process PR being Reviewed by Maintainers labels Nov 25, 2025
@xsscx xsscx merged commit 9023d2d into master Nov 25, 2025
3 checks passed
@ChrisCoxArt ChrisCoxArt deleted the issue183 branch November 25, 2025 19:39
@xsscx xsscx added the CVE Requested Maintainer indicates a CVE has been Requested label Jan 3, 2026
@xsscx
Copy link
Member

xsscx commented Jan 3, 2026

GHSA-f2wp-j3fr-938w

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xsscx xsscx xsscx approved these changes

Assignees

@xsscx xsscx

Labels

CVE Requested Maintainer indicates a CVE has been Requested Merged Merged PR Pull Request Security Security Related

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Known Defect | Type Confusion |runtime error: downcast of address ... which does not point to an object of type 'CIccTagLutAtoB' | IccEval.cpp:139

3 participants

@ChrisCoxArt @xsscx