Skip to content

Fix: CIccXmlArrayType::ParseText() heap-buffer-overflow #229

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
xsscx merged 2 commits into from
Nov 25, 2025
Merged

Fix: CIccXmlArrayType::ParseText() heap-buffer-overflow #229

xsscx merged 2 commits into from
Nov 25, 2025

Conversation

@ChrisCoxArt
Copy link
Contributor

@ChrisCoxArt ChrisCoxArt commented Nov 25, 2025

Fix issue #178
Also fix some indentation so it matches the usual style, and is easier to read.

@ChrisCoxArt
fix loop to not read over the end of the text buffer
33a9d82 
Fixes issue #178
@ChrisCoxArt
fix other suspicious parsing loops
f1236ad 
Several places don't have string lengths, or dereference the string pointer before checking the position.
I suspect there are a lot more bugs in here.
@xsscx xsscx self-requested a review November 25, 2025 11:58
@xsscx xsscx self-assigned this Nov 25, 2025
@xsscx xsscx added Bug Bug Report PR Pull Request Review in Process PR being Reviewed by Maintainers ci labels Nov 25, 2025
@xsscx xsscx linked an issue Nov 25, 2025 that may be closed by this pull request
Known Defect | CIccXmlArrayType::ParseText() heap-buffer-overflow | IccUtilXml.cpp#L995 #178
Closed
@xsscx xsscx changed the title Issue #178 - Fix loops to test length limit before dereferencing the string pointer Fix: CIccXmlArrayType::ParseText() heap-buffer-overflow Nov 25, 2025
xsscx
xsscx approved these changes Nov 25, 2025
View reviewed changes
Copy link
Member

@xsscx xsscx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR229 Repro & Test

          export CXX=clang++
          git clone https://github.com/InternationalColorConsortium/iccDEV.git
          cd iccDEV
          git fetch origin pull/229/head:pr-229
          git checkout pr-229
          cd Build
          cmake -DCMAKE_INSTALL_PREFIX=$HOME/.local -DCMAKE_BUILD_TYPE=Debug -Wno-dev -DCMAKE_CXX_FLAGS="-g -fsanitize=address,undefined -fno-omit-frame-pointer -Wall" -DENABLE_TOOLS=ON -DENABLE_STATIC_LIBS=ON -DENABLE_SHARED_LIBS=ON Cmake/
          make -j$(nproc)
          echo "========= BEGIN INSIDE STUB for PR229 ========="
          cd ../Testing/
          echo "=== Updating PATH ==="
           for d in ../Build/Tools/*; do
            [ -d "$d" ] && export PATH="$(realpath "$d"):$PATH"
           done
          echo "========= BEGIN INSIDE STUB for PR229 ========="
        cd ../Testing/
        echo "=== Updating PATH ==="
         for d in ../Build/Tools/*; do
          [ -d "$d" ] && export PATH="$(realpath "$d"):$PATH"
         done 
echo "========= Create Profiles ========="
          sh CreateAllProfiles.sh
echo "========= Run Tests ========="
          sh RunTests.sh
          cd HDR
          sh mkprofiles.sh
          cd ..
          cd hybrid
          sh BuildAndTest.sh
          cd ..
          cd CalcTest
          sh checkInvalidProfiles.sh
          cd ..
          cd mcs
          sh updateprev.sh
          sh updateprevWithBkgd.sh
          cd ..
echo "========= Regression Tests ========="
          wget https://github.com/xsscx/PatchIccMAX/raw/refs/heads/re231/contrib/UnitTest/cve-2023-46602.icc
          iccDumpProfile cve-2023-46602.icc
          iccRoundTrip cve-2023-46602.icc
          wget https://github.com/xsscx/PatchIccMAX/raw/refs/heads/re231/contrib/UnitTest/icPlatformSignature-ubsan-poc.icc
          iccRoundTrip icPlatformSignature-ubsan-poc.icc
          iccDumpProfile icPlatformSignature-ubsan-poc.icc
          wget https://github.com/xsscx/PatchIccMAX/raw/refs/heads/re231/contrib/UnitTest/icSigMatrixElemType-Read-poc.icc
          iccRoundTrip icSigMatrixElemType-Read-poc.icc
          iccDumpProfile icSigMatrixElemType-Read-poc.icc
          iccToXml icSigMatrixElemType-Read-poc.icc icSigMatrixElemType-Read-poc.xml
          iccToXml icPlatformSignature-ubsan-poc.icc icPlatformSignature-ubsan-poc.xml
          iccToXml cve-2023-46602.icc cve-2023-46602.xml
          iccFromXml icSigMatrixElemType-Read-poc.xml icSigMatrixElemType-Read-rt.icc
          iccFromXml icPlatformSignature-ubsan-poc.xml icPlatformSignature-ubsan-rt.icc
          iccFromXml cve-2023-46602.xml cve-2023-46602-rt.icc
          iccRoundTrip PCC/Lab_float-D50_2deg.icc
          wget https://github.com/xsscx/Commodity-Injection-Signatures/raw/refs/heads/master/graphics/icc/Cat8Lab-D65_2degMeta.icc
          iccRoundTrip Cat8Lab-D65_2degMeta.icc    
          iccRoundTrip sRGB_v4_ICC_preference.icc
echo "========= BEGIN TEST for PR229 heap-buffer-overflow ========="
          cd CMYK-3DLUTs
          iccFromXml CMYK-3DLUTs2.xml CMYK-3DLUTs2.icc
echo "========= Profile Count ========="
          find . -iname "*.icc" | wc -l
echo "========= INSIDE STUB EXIT ========="

Expected Output

========= BEGIN TEST for PR229 =========
Profile parsed.  Profile is invalid, but saved correctly
Warning! - Unknown 'RICC' = 52494343: Unknown platform signature.
Error! - gamutTag: - Incorrect number of input channels.
Error! - gamutTag: - Incorrect number of output channels.

The above Test indicates that PR229 resolves Issue 178 for heap-buffer-overflow and this PR will be Merged.

Thank You @ChrisCoxArt for your time & efforts!
PR229 addressed the heap-buffer-overflow in CIccXmlArrayType::ParseText() reported from Issue 178
Signed-off-by: D Hoyt xss@xss.cx

@xsscx xsscx added Merged Merged and removed Bug Bug Report labels Nov 25, 2025
@xsscx
Copy link
Member

xsscx commented Nov 25, 2025

Status

Tue Nov 25 10:00:02 AM EST 2025

  • Seasoning up to 6 hours to permit additional Comments & Feedback
  • This a priority security patch to Merge

@xsscx xsscx added Security Security Related and removed ci Review in Process PR being Reviewed by Maintainers labels Nov 25, 2025
@xsscx xsscx merged commit 1ea8a60 into master Nov 25, 2025
3 checks passed
@ChrisCoxArt ChrisCoxArt deleted the issue-178 branch November 25, 2025 19:39
@xsscx xsscx added the CVE Requested Maintainer indicates a CVE has been Requested label Jan 3, 2026
@xsscx
Copy link
Member

xsscx commented Jan 3, 2026

GHSA-jq9m-54gr-c56c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xsscx xsscx xsscx approved these changes

Assignees

@xsscx xsscx

Labels

CVE Requested Maintainer indicates a CVE has been Requested Merged Merged PR Pull Request Security Security Related

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Known Defect | CIccXmlArrayType::ParseText() heap-buffer-overflow | IccUtilXml.cpp#L995

3 participants

@ChrisCoxArt @xsscx