Skip to content

Fix: SBO in CIccTagFloatNum::GetValues()#565

Merged
xsscx merged 2 commits intomasterfrom
issue-551
Feb 2, 2026
Merged

Fix: SBO in CIccTagFloatNum::GetValues()#565
xsscx merged 2 commits intomasterfrom
issue-551

Conversation

@ChrisCoxArt
Copy link
Contributor

@ChrisCoxArt ChrisCoxArt commented Feb 2, 2026

Fixes #551

Pull Request Checklist

  • Have you followed the guidelines in Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you built your Pull Request locally with the Build Instructions?
  • Have you added or updated relevant tests?
  • Have you added or updated relevant docs?

@ChrisCoxArt ChrisCoxArt requested a review from xsscx as a code owner February 2, 2026 02:27
@xsscx xsscx self-assigned this Feb 2, 2026
@xsscx xsscx added PR Pull Request Review in Process Issue is being Reviewed by Maintainers Pending Merge Maintainer indicates Merge Pending and requests no further changes and removed Review in Process Issue is being Reviewed by Maintainers labels Feb 2, 2026
xsscx
xsscx approved these changes Feb 2, 2026
View reviewed changes
Copy link
Member

@xsscx xsscx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR565 Review

2026-02-02 02:44:44 UTC0

d726649 (HEAD -> pr-565, origin/issue-551) use the size limit passed in, not the size of the array

Repro

mkdir pr565
cd pr565
git clone https://github.com/InternationalColorConsortium/iccDEV.git
cd iccDEV
git fetch origin pull/565/head:pr-565
git checkout pr-565
cd Build
cmake -DCMAKE_INSTALL_PREFIX="$HOME/.local" -DCMAKE_BUILD_TYPE=Debug -DENABLE_TOOLS=ON -DENABLE_SHARED_LIBS=ON -DENABLE_STATIC_LIBS=ON -DENABLE_TESTS=ON -DENABLE_INSTALL_RIM=ON -DENABLE_ICCXML=ON -Wno-dev -DCMAKE_CXX_FLAGS="-g -fsanitize=address,undefined -fno-omit-frame-pointer -Wall" -Wno-dev Cmake/
make -j$(nproc)
        cd ../Testing/
        echo "=== Updating PATH ==="
         for d in ../Build/Tools/*; do
          [ -d "$d" ] && export PATH="$(realpath "$d"):$PATH"
         done
cd ..
wget https://github.com/xsscx/fuzz/raw/refs/heads/master/graphics/icc/stack-smashing-CIccTagFloatNum-CIccTagStruct-GetElemNumberValue-IccTagBasic_cpp-Line6634.icc
iccApplyNamedCmm Tools/CmdLine/IccApplyNamedCmm/DataSetFiles/DarkRed-RGB.txt 3 0 stack-smashing-CIccTagFloatNum-CIccTagStruct-GetElemNumberValue-IccTagBasic_cpp-Line6634.icc 0

PR565 Expected Output

Error 2 - Unable to begin profile application - Possibly invalid or incompatible profiles

@xsscx xsscx changed the title Fix buffer overrun and use after free Fix: SBO in CIccTagFloatNum::GetValues() Feb 2, 2026
@xsscx xsscx merged commit c9cb108 into master Feb 2, 2026
24 checks passed
@xsscx xsscx added Merged Merged Security Security Related CVE Requested Maintainer indicates a CVE has been Requested and removed Pending Merge Maintainer indicates Merge Pending and requests no further changes labels Feb 2, 2026
@xsscx
Copy link
Member

xsscx commented Feb 4, 2026

GHSA-xjr3-v3vr-5794

@ChrisCoxArt ChrisCoxArt deleted the issue-551 branch February 4, 2026 23:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xsscx xsscx xsscx approved these changes

Assignees

@xsscx xsscx

Labels

CVE Requested Maintainer indicates a CVE has been Requested Merged Merged PR Pull Request Security Security Related

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SBO in CIccTagFloatNum::GetValues() at IccTagBasic.cpp:6634

2 participants

@ChrisCoxArt @xsscx