Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
pocs/cms/
pocs/cms/

POC of CMS

1-cms-out-bound-write-PrecalculateXFORM


gdb --args tificc $POC /tmp/out.tiff

Program received signal SIGSEGV, Segmentation fault.
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe838 --> 0x7ffff7b21c2c (<PrecalculatedXFORM+812>:      mov    r11,QWORD PTR [rbx+0x70])
0008| 0x7fffffffe840 --> 0x3c95700000000000
0016| 0x7fffffffe848 --> 0x102000000b10
0024| 0x7fffffffe850 --> 0x0
0032| 0x7fffffffe858 --> 0x62e610 --> 0x4000200010000
0040| 0x7fffffffe860 --> 0x614820 --> 0x0
0048| 0x7fffffffe868 --> 0x100000000
0056| 0x7fffffffe870 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7000000 in ?? ()
#0  0x00007ffff7000000 in ?? ()
#1  0x00007ffff7b21c2c in PrecalculatedXFORM (p=0x616940, in=0x62e610, out=0x614820, PixelsPerLine=0x1020, LineCount=0x1, Stride=0x7fffffffe900) at ../../cms/src/cmsxform.c:410
#2  0x00007ffff7b25285 in cmsDoTransform (Transform=Transform@entry=0x616940, InputBuffer=InputBuffer@entry=0x62e610, OutputBuffer=OutputBuffer@entry=0x614820, Size=Size@entry=0x1020) at ../.
./cms/src/cmsxform.c:189
#3  0x0000000000405ac7 in TileBasedXform (nPlanes=0x1, out=0x6124d0, in=<optimized out>, hXForm=0x616940) at ../../../cms/utils/tificc/tificc.c:408
#4  TransformImage (cDefInpProf=<optimized out>, out=<optimized out>, in=<optimized out>) at ../../../cms/utils/tificc/tificc.c:904
#5  main (argc=argc@entry=0x3, argv=argv@entry=0x7fffffffeba8) at ../../../cms/utils/tificc/tificc.c:1167
#6  0x00007ffff71fe830 in __libc_start_main (main=0x402360 <main>, argc=0x3, argv=0x7fffffffeba8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffeb
98) at ../csu/libc-start.c:291
#7  0x0000000000408e29 in _start ()

__main__:99: UserWarning: GDB v7.11 may not support required Python API
Description: Segmentation fault on program counter
Short description: SegFaultOnPc (3/22)
Hash: a623b76741d0ee9936f43614a95f8a38.d3ce2561115efa40618f8e7190e9ac1e
Exploitability Classification: EXPLOITABLE
Explanation: The target tried to access data at an address that matches the program counter. This is likely due to the execution of a branch instruction (ex: 'call') with a bad argument, but
it could also be due to execution continuing past the end of a memory region or another cause. Regardless this likely indicates that the program counter contents are tainted and can be contro
lled by an attacker.
Other tags: AccessViolation (21/22)


2.tiff-crash-TIFFWriteEncodeTile

这个crash在libtiff的TIFFWriteEncodeTile函数中,需要在最新版中分析。

Stopped reason: SIGABRT
0x00007ffff733f428 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0  0x00007ffff733f428 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff734102a in __GI_abort () at abort.c:89
#2  0x00007ffff73817ea in __libc_message (do_abort=0x2, fmt=fmt@entry=0x7ffff749aed8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff738c13e in malloc_printerr (ar_ptr=0x7ffff76ceb20 <main_arena>, ptr=0x60d430, str=0x7ffff7497d3f "malloc(): memory corruption", action=<optimized out>) at malloc.c:5006
#4  _int_malloc (av=av@entry=0x7ffff76ceb20 <main_arena>, bytes=bytes@entry=0x2000) at malloc.c:3474
#5  0x00007ffff738e184 in __GI___libc_malloc (bytes=0x2000) at malloc.c:2913
#6  0x00007ffff7933af9 in TIFFWriteBufferSetup () from /usr/lib/x86_64-linux-gnu/libtiff.so.5
#7  0x00007ffff79343b1 in TIFFWriteEncodedTile () from /usr/lib/x86_64-linux-gnu/libtiff.so.5
#8  0x0000000000402db6 in TileBasedXform (hXForm=0x60e940, in=0x609860, out=0x60a4d0, nPlanes=0x1) at ../../../cms/utils/tificc/tificc.c:412
#9  0x00000000004044db in TransformImage (in=0x609860, out=0x60a4d0, cDefInpProf=0x0) at ../../../cms/utils/tificc/tificc.c:904
#10 0x0000000000404d86 in main (argc=0x3, argv=0x7fffffffe608) at ../../../cms/utils/tificc/tificc.c:1167
#11 0x00007ffff732a830 in __libc_start_main (main=0x404c38 <main>, argc=0x3, argv=0x7fffffffe608, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe5f8) at ../csu/libc-start.c:291
#12 0x0000000000401fe9 in _start ()


3-cms-NULL-Pointer-cmsEvalToneCurve16

gdb --args tificc $POC /tmp/out.tiff

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7fffffffde94 --> 0x0
RCX: 0x8
RDX: 0x0
RSI: 0x0
RDI: 0x60e100 --> 0x0
RBP: 0x7fffffffdde0 --> 0x7fffffffde10 --> 0x7fffffffde60 --> 0x7fffffffe2b0 --> 0x7fffffffe360 --> 0x7fffffffe3c0 (--> ...)
RSP: 0x7fffffffddc0 --> 0xffffdde0
RIP: 0x7ffff7b78259 (<cmsEvalToneCurve16+78>:   mov    rax,QWORD PTR [rax+0x80])
R8 : 0x2ce
R9 : 0x7fffffffe3a0 --> 0x0
R10: 0x9d
R11: 0x7ffff7b7820b (<cmsEvalToneCurve16>:      push   rbp)
R12: 0x60e10b --> 0x60c6600000000000
R13: 0x7fffffffe630 --> 0x3
R14: 0x0
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7b7824d <cmsEvalToneCurve16+66>:      call   0x7ffff7b6fa60 <__assert_fail@plt>
   0x7ffff7b78252 <cmsEvalToneCurve16+71>:      mov    rax,QWORD PTR [rbp-0x18]
   0x7ffff7b78256 <cmsEvalToneCurve16+75>:      mov    rax,QWORD PTR [rax]
=> 0x7ffff7b78259 <cmsEvalToneCurve16+78>:      mov    rax,QWORD PTR [rax+0x80]
   0x7ffff7b78260 <cmsEvalToneCurve16+85>:      mov    rdx,QWORD PTR [rbp-0x18]
   0x7ffff7b78264 <cmsEvalToneCurve16+89>:      mov    rdx,QWORD PTR [rdx]
   0x7ffff7b78267 <cmsEvalToneCurve16+92>:      lea    rsi,[rbp-0xa]
   0x7ffff7b7826b <cmsEvalToneCurve16+96>:      lea    rcx,[rbp-0x1c]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffddc0 --> 0xffffdde0
0008| 0x7fffffffddc8 --> 0x60e100 --> 0x0
0016| 0x7fffffffddd0 --> 0x7fffffffde94 --> 0x0
0024| 0x7fffffffddd8 --> 0x286060b593741800
0032| 0x7fffffffdde0 --> 0x7fffffffde10 --> 0x7fffffffde60 --> 0x7fffffffe2b0 --> 0x7fffffffe360 --> 0x7fffffffe3c0 (--> ...)
0040| 0x7fffffffdde8 --> 0x7ffff7b781d2 (<cmsEvalToneCurveFloat+110>:   mov    WORD PTR [rbp-0x2],ax)
0048| 0x7fffffffddf0 --> 0xffffde10
0056| 0x7fffffffddf8 --> 0x60e100 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7b78259 in cmsEvalToneCurve16 (Curve=0x60e100, v=0x0) at ../../cms/src/cmsgamma.c:1376
1376        Curve ->InterpParams ->Interpolation.Lerp16(&v, &out, Curve ->InterpParams);
gdb-peda$ p Curve->InterpParams
$1 = (cmsInterpParams *) 0x0


4-cms-invalid-access-AllocateToneCurveStruct


gdb --args tificc $POC /tmp/out.tiff

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xfffffffc
RBX: 0x7fffffffdea8 --> 0x7fff00000000
RCX: 0xffffffffffffffff
RDX: 0x7ffff7b74c00 (<AllocateToneCurveStruct+1122>:    rex.RB loopne 0x7ffff7b74c4b <AllocateToneCurveStruct+1197>)
RSI: 0x60e6c0 --> 0x4003333333333333
RDI: 0xfffffffc
RBP: 0x7fffffffddf0 --> 0x7fffffffde20 --> 0x7fffffffde70 --> 0x7fffffffe2c0 --> 0x7fffffffe370 --> 0x7fffffffe3d0 (--> ...)
RSP: 0x7fffffffdda8 --> 0x7ffff7b75ecb (<EvalSegmentedFn+621>:  movq   rax,xmm0)
RIP: 0x7ffff7b74c4b (<AllocateToneCurveStruct+1197>:    (bad))
R8 : 0x2ce
R9 : 0x7fffffffe3b0 --> 0x0
R10: 0x15b
R11: 0x7ffff7b97389 (<cmsDoTransform>:  push   rbp)
R12: 0x60c141 --> 0xb800007ffff7b74c
R13: 0x7fffffffe640 --> 0x3
R14: 0x0
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
=> 0x7ffff7b74c4b <AllocateToneCurveStruct+1197>:       (bad)
   0x7ffff7b74c4c <AllocateToneCurveStruct+1198>:       je     0x7ffff7b74c65 <AllocateToneCurveStruct+1223>
   0x7ffff7b74c4e <AllocateToneCurveStruct+1200>:       mov    rax,QWORD PTR [rbp-0x20]
   0x7ffff7b74c52 <AllocateToneCurveStruct+1204>:       mov    rdx,QWORD PTR [rax+0x20]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdda8 --> 0x7ffff7b75ecb (<EvalSegmentedFn+621>: movq   rax,xmm0)
0008| 0x7fffffffddb0 --> 0x1
0016| 0x7fffffffddb8 --> 0x0
0024| 0x7fffffffddc0 --> 0x0
0032| 0x7fffffffddc8 --> 0x609df0 --> 0x60c180 --> 0x0
0040| 0x7fffffffddd0 --> 0x4237ffff80018000
0048| 0x7fffffffddd8 --> 0xc9cc2500
0056| 0x7fffffffdde0 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7b74c4b in AllocateToneCurveStruct (ContextID=0x0, nEntries=0x0, nSegments=0x1, Segments=0x7ffff7b75ecb <EvalSegmentedFn+621>, Values=0x7fffffffddf0) at ../../cms/src/cmsgamma.c:304
304         if (p -> Evals) _cmsFree(ContextID, p -> Evals);
gdb-peda$ p p
$1 = (cmsToneCurve *) 0x4237ffff80018000
gdb-peda$ p *p
Cannot access memory at address 0x4237ffff80018000

5-cms-invalid-access-cmsReadHeader

gdb --args tificc $POC /tmp/out.tiff
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b80000 in _cmsReadHeader (Icc=0x1b7d90508ff21000) at ../../cms/src/cmsio0.c:699
699             cmsSignalError(Icc ->ContextID, cmsERROR_BAD_SIGNATURE, "not an ICC profile, invalid signature");
[----------------------------------registers-----------------------------------]
RAX: 0x7ffff7b80000 (<_cmsReadHeader+150>:      add    BYTE PTR [rax],al)
RBX: 0x7ffff4d764dc --> 0x0
RCX: 0x1fe020
RDX: 0x7ffff4d764dc --> 0x0
RSI: 0x7fffffffe2d0 --> 0x0
RDI: 0x60c410 --> 0x0
RBP: 0x7fffffffe330 --> 0x7fffffffe390 --> 0x7fffffffe400 --> 0x7fffffffe4f0 --> 0x7fffffffe520 --> 0x405ad0 (<__libc_csu_init>:        push   r15)
RSP: 0x7fffffffe288 --> 0x7ffff7b97b36 (<PrecalculatedXFORM+249>:       mov    rbx,rax)
RIP: 0x7ffff7b80000 (<_cmsReadHeader+150>:      add    BYTE PTR [rax],al)
R8 : 0x2ce
R9 : 0x7fffffffe370 --> 0x0
R10: 0x15b
R11: 0x7ffff7b97389 (<cmsDoTransform>:  push   rbp)
R12: 0x60c422 --> 0x8ee00007ffff7b8
R13: 0x7fffffffe600 --> 0x3
R14: 0x0
R15: 0x0
EFLAGS: 0x10287 (CARRY PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
=> 0x7ffff7b80000 <_cmsReadHeader+150>: add    BYTE PTR [rax],al
   0x7ffff7b80002 <_cmsReadHeader+152>: add    al,ch
   0x7ffff7b80004 <_cmsReadHeader+154>: push   0xffffffffb8fffefb
   0x7ffff7b80009 <_cmsReadHeader+159>: add    BYTE PTR [rax],al
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe288 --> 0x7ffff7b97b36 (<PrecalculatedXFORM+249>:      mov    rbx,rax)
0008| 0x7fffffffe290 --> 0x0
0016| 0x7fffffffe298 --> 0x7fffffffe370 --> 0x0
0024| 0x7fffffffe2a0 --> 0x1fe02000000001
0032| 0x7fffffffe2a8 --> 0x60aee0 --> 0x0
0040| 0x7fffffffe2b0 --> 0x7ffff4d71010 --> 0x0
0048| 0x7fffffffe2b8 --> 0x60c410 --> 0x0
0056| 0x7fffffffe2c0 --> 0x71600000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
gdb-peda$ bt
#0  0x00007ffff7b80000 in _cmsReadHeader (Icc=0x1b7d90508ff21000) at ../../cms/src/cmsio0.c:699
#1  0x00007ffff7b973f7 in cmsDoTransform (Transform=0x60c410, InputBuffer=0x7ffff4d71010, OutputBuffer=0x60aee0, Size=0x1fe020) at ../../cms/src/cmsxform.c:189
#2  0x0000000000402d73 in TileBasedXform (hXForm=0x60c410, in=0x609860, out=0x60a5c0, nPlanes=0x1) at ../../../cms/utils/tificc/tificc.c:408
#3  0x00000000004044db in TransformImage (in=0x609860, out=0x60a5c0, cDefInpProf=0x0) at ../../../cms/utils/tificc/tificc.c:904
#4  0x0000000000404d86 in main (argc=0x3, argv=0x7fffffffe608) at ../../../cms/utils/tificc/tificc.c:1167
#5  0x00007ffff732a830 in __libc_start_main (main=0x404c38 <main>, argc=0x3, argv=0x7fffffffe608, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe5f8) at ../csu/libc-start.c:291
#6  0x0000000000401fe9 in _start ()
gdb-peda$ p Icc
$3635 = (_cmsICCPROFILE *) 0x1b7d90508ff21000
gdb-peda$ p Icc->ContextID
Cannot access memory at address 0x1b7d90508ff21008


6-cms-invalid-access-Pack3Bytes


gdb --args tificc $POC /tmp/out.tiff
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x643001
RBX: 0x7ffff5f94fd1 --> 0x0
RCX: 0x0
RDX: 0x643000 ('')
RSI: 0x0
RDI: 0x60c8f0 --> 0x4001900040091
RBP: 0x7fffffffe280 --> 0x7fffffffe330 --> 0x7fffffffe390 --> 0x7fffffffe400 --> 0x7fffffffe4f0 --> 0x7fffffffe520 (--> ...)
RSP: 0x7fffffffe280 --> 0x7fffffffe330 --> 0x7fffffffe390 --> 0x7fffffffe400 --> 0x7fffffffe4f0 --> 0x7fffffffe520 (--> ...)
RIP: 0x7ffff7b9095a (<Pack3Bytes+108>:  mov    BYTE PTR [rdx],cl)
R8 : 0x1
R9 : 0x7fffffffe370 --> 0x0
R10: 0x15b
R11: 0x7ffff7b97389 (<cmsDoTransform>:  push   rbp)
R12: Cannot access memory address
R13: 0x7fffffffe600 --> 0x3
R14: 0x0
R15: 0x0
EFLAGS: 0x10247 (CARRY PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7b9094b <Pack3Bytes+93>:      imul   ecx,ecx,0xff01
   0x7ffff7b90951 <Pack3Bytes+99>:      add    ecx,0x800000
   0x7ffff7b90957 <Pack3Bytes+105>:     shr    ecx,0x18
=> 0x7ffff7b9095a <Pack3Bytes+108>:     mov    BYTE PTR [rdx],cl
   0x7ffff7b9095c <Pack3Bytes+110>:     pop    rbp
   0x7ffff7b9095d <Pack3Bytes+111>:     ret
   0x7ffff7b9095e <Pack3BytesOptimized>:        push   rbp
   0x7ffff7b9095f <Pack3BytesOptimized+1>:      mov    rbp,rsp
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe280 --> 0x7fffffffe330 --> 0x7fffffffe390 --> 0x7fffffffe400 --> 0x7fffffffe4f0 --> 0x7fffffffe520 (--> ...)
0008| 0x7fffffffe288 --> 0x7ffff7b97b7f (<PrecalculatedXFORM+322>:      mov    r12,rax)
0016| 0x7fffffffe290 --> 0x0
0024| 0x7fffffffe298 --> 0x7fffffffe370 --> 0x0
0032| 0x7fffffffe2a0 --> 0x1fe02000000001
0040| 0x7fffffffe2a8 --> 0x60d040 --> 0x0
0048| 0x7fffffffe2b0 --> 0x7ffff5f5f010 --> 0x0
0056| 0x7fffffffe2b8 --> 0x60c8f0 --> 0x4001900040091
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7b9095a in Pack3Bytes (info=0x60c8f0, wOut=0x0, output=0x643001 <error: Cannot access memory at address 0x643001>, Stride=0x0) at ../../cms/src/cmspack.c:1834
1834        *output++ = FROM_16_TO_8(wOut[2]);
gdb-peda$ p wOut[2]
Cannot access memory at address 0x4



7-cms-null-pointer-cmsPipelineCheckAndRetreiveStages

gdb --args tificc $POC /tmp/out.tiff
Program received signal SIGILL, Illegal instruction.
[----------------------------------registers-----------------------------------]
RAX: 0x7ffff7b85252 (<cmsPipelineCheckAndRetreiveStages+297>:   sbb    al,0xff)
RBX: 0x620c44 --> 0x52d552c552b552a5
RCX: 0x3030 ('00')
RDX: 0x620c44 --> 0x52d552c552b552a5
RSI: 0x7fffffffe2d0 --> 0x529552855275
RDI: 0x60c430 ("QQQQQ", 'R' <repeats 13 times>, "\270\367\377\177")
RBP: 0x7fffffffe330 --> 0x7fffffffe390 --> 0x7fffffffe400 --> 0x7fffffffe4f0 --> 0x7fffffffe520 --> 0x405ad0 (<__libc_csu_init>:        push   r15)
RSP: 0x7fffffffe288 --> 0x7ffff7b97b36 (<PrecalculatedXFORM+249>:       mov    rbx,rax)
RIP: 0x7ffff7b85254 (<cmsPipelineCheckAndRetreiveStages+299>:   (bad))
R8 : 0x1
R9 : 0x7fffffffe370 --> 0x0
R10: 0x15b
R11: 0x7ffff7b97389 (<cmsDoTransform>:  push   rbp)
R12: 0x60c442 --> 0x8ee00007ffff7b8
R13: 0x7fffffffe600 --> 0x3
R14: 0x0
R15: 0x0
EFLAGS: 0x10213 (CARRY parity ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
=> 0x7ffff7b85254 <cmsPipelineCheckAndRetreiveStages+299>:      (bad)
   0x7ffff7b85255 <cmsPipelineCheckAndRetreiveStages+300>:      push   QWORD PTR [rdx+rcx*1-0x48]
   0x7ffff7b85259 <cmsPipelineCheckAndRetreiveStages+304>:      add    BYTE PTR [rax],al
   0x7ffff7b8525b <cmsPipelineCheckAndRetreiveStages+306>:      add    BYTE PTR [rax],al
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe288 --> 0x7ffff7b97b36 (<PrecalculatedXFORM+249>:      mov    rbx,rax)
0008| 0x7fffffffe290 --> 0x0
0016| 0x7fffffffe298 --> 0x7fffffffe370 --> 0x0
0024| 0x7fffffffe2a0 --> 0x303000000001
0032| 0x7fffffffe2a8 --> 0x60af00 --> 0x40007ff6eb
0040| 0x7fffffffe2b0 --> 0x61e1c0 --> 0x7ffff76ceb78 --> 0x6302e0 --> 0x0
0048| 0x7fffffffe2b8 --> 0x60c430 ("QQQQQ", 'R' <repeats 13 times>, "\270\367\377\177")
0056| 0x7fffffffe2c0 --> 0x71600000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGILL
0x00007ffff7b85254 in cmsPipelineCheckAndRetreiveStages (Lut=0x0, n=0x0) at ../../cms/src/cmslut.c:129
129             if (mpe ->Type != Type) 
gdb-peda$ p mpe
$1 = (cmsStage *) 0x0
gdb-peda$ bt
#0  0x00007ffff7b85254 in cmsPipelineCheckAndRetreiveStages (Lut=0x0, n=0x0) at ../../cms/src/cmslut.c:129
#1  0x00007ffff7b973f7 in cmsDoTransform (Transform=0x60c430, InputBuffer=0x61e1c0, OutputBuffer=0x60af00, Size=0x3030) at ../../cms/src/cmsxform.c:189
#2  0x0000000000402d73 in TileBasedXform (hXForm=0x60c430, in=0x609860, out=0x60a5e0, nPlanes=0x1) at ../../../cms/utils/tificc/tificc.c:408
#3  0x00000000004044db in TransformImage (in=0x609860, out=0x60a5e0, cDefInpProf=0x0) at ../../../cms/utils/tificc/tificc.c:904
#4  0x0000000000404d86 in main (argc=0x3, argv=0x7fffffffe608) at ../../../cms/utils/tificc/tificc.c:1167
#5  0x00007ffff732a830 in __libc_start_main (main=0x404c38 <main>, argc=0x3, argv=0x7fffffffe608, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe5f8) at ../csu/libc-start.c:291
#6  0x0000000000401fe9 in _start ()

8-cms-crash-UnrollDoubleTo16

gdb --args tificc $POC /tmp/out.tiff
Program received signal SIGILL, Illegal instruction.
[----------------------------------registers-----------------------------------]
RAX: 0x7ffff7b8f000 (<UnrollDoubleTo16+304>:    rex.RB fsubr st,st(0))
RBX: 0x7ffff4d79518 --> 0x0
RCX: 0x1fe020
RDX: 0x7ffff4d79518 --> 0x0
RSI: 0x7fffffffe2d0 --> 0x0
RDI: 0x60ea40 --> 0x0
RBP: 0x7fffffffe330 --> 0x7fffffffe390 --> 0x7fffffffe400 --> 0x7fffffffe4f0 --> 0x7fffffffe520 --> 0x405ad0 (<__libc_csu_init>:        push   r15)
RSP: 0x7fffffffe288 --> 0x7ffff7b97b36 (<PrecalculatedXFORM+249>:       mov    rbx,rax)
RIP: 0x7ffff7b8f003 (<UnrollDoubleTo16+307>:    (bad))
R8 : 0x2ce
R9 : 0x7fffffffe370 --> 0x0
R10: 0x15b
R11: 0x7ffff7b97389 (<cmsDoTransform>:  push   rbp)
R12: 0x60ea51 --> 0xee00007ffff7b8f0
R13: 0x7fffffffe600 --> 0x3
R14: 0x0
R15: 0x0
EFLAGS: 0x10283 (CARRY parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
=> 0x7ffff7b8f003 <UnrollDoubleTo16+307>:       (bad)
   0x7ffff7b8f004 <UnrollDoubleTo16+308>:       jmp    0x7ffff7b8f005 <UnrollDoubleTo16+309>
   0x7ffff7b8f006 <UnrollDoubleTo16+310>:       jmp    QWORD PTR [rsi-0x77]
   0x7ffff7b8f009 <UnrollDoubleTo16+313>:       rex.RB movs BYTE PTR es:[rdi],BYTE PTR ds:[rsi]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe288 --> 0x7ffff7b97b36 (<PrecalculatedXFORM+249>:      mov    rbx,rax)
0008| 0x7fffffffe290 --> 0x0
0016| 0x7fffffffe298 --> 0x7fffffffe370 --> 0x0
0024| 0x7fffffffe2a0 --> 0x1fe02000000001
0032| 0x7fffffffe2a8 --> 0x60c900 --> 0x0
0040| 0x7fffffffe2b0 --> 0x7ffff4d71010 --> 0x0
0048| 0x7fffffffe2b8 --> 0x60ea40 --> 0x0
0056| 0x7fffffffe2c0 --> 0xb1b00000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGILL
0x00007ffff7b8f003 in UnrollDoubleTo16 (info=0x7ffff4d79518, wIn=0x60ea51, accum=0x7fffffffe600 "\003", Stride=0x0) at ../../cms/src/cmspack.c:989
989             vi = _cmsQuickSaturateWord(v * maximum);
gdb-peda$ bt
#0  0x00007ffff7b8f003 in UnrollDoubleTo16 (info=0x7ffff4d79518, wIn=0x60ea51, accum=0x7fffffffe600 "\003", Stride=0x0) at ../../cms/src/cmspack.c:989
#1  0x00007ffff7b973f7 in cmsDoTransform (Transform=0x60ea40, InputBuffer=0x7ffff4d71010, OutputBuffer=0x60c900, Size=0x1fe020) at ../../cms/src/cmsxform.c:189
#2  0x0000000000402d73 in TileBasedXform (hXForm=0x60ea40, in=0x609860, out=0x60a5b0, nPlanes=0x1) at ../../../cms/utils/tificc/tificc.c:408
#3  0x00000000004044db in TransformImage (in=0x609860, out=0x60a5b0, cDefInpProf=0x0) at ../../../cms/utils/tificc/tificc.c:904
#4  0x0000000000404d86 in main (argc=0x3, argv=0x7fffffffe608) at ../../../cms/utils/tificc/tificc.c:1167
#5  0x00007ffff732a830 in __libc_start_main (main=0x404c38 <main>, argc=0x3, argv=0x7fffffffe608, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe5f8) at ../csu/libc-start.c:291
#6  0x0000000000401fe9 in _start ()


9-cms-heap-overflow


[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x65 ('e')
RCX: 0xffffffffffffffff
RDX: 0x6
RSI: 0x1390
RDI: 0x1390
RBP: 0x7fffffffdad0 --> 0x50 ('P')
RSP: 0x7fffffffd738 --> 0x7ffff734102a (<__GI_abort+362>:       mov    rdx,QWORD PTR fs:0x10)
RIP: 0x7ffff733f428 (<__GI_raise+56>:   cmp    rax,0xfffffffffffff000)
R8 : 0x6
R9 : 0x0
R10: 0x8
R11: 0x206
R12: 0x65 ('e')
R13: 0x7fffffffd8e8 --> 0x7fffffffde80 --> 0x7fffffffdf14 --> 0xf4e7901000000000
R14: 0x7fffffffd8e8 --> 0x7fffffffde80 --> 0x7fffffffdf14 --> 0xf4e7901000000000
R15: 0x2
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff733f41e <__GI_raise+46>:      mov    eax,0xea
   0x7ffff733f423 <__GI_raise+51>:      movsxd rdi,ecx
   0x7ffff733f426 <__GI_raise+54>:      syscall
=> 0x7ffff733f428 <__GI_raise+56>:      cmp    rax,0xfffffffffffff000
   0x7ffff733f42e <__GI_raise+62>:      ja     0x7ffff733f450 <__GI_raise+96>
   0x7ffff733f430 <__GI_raise+64>:      repz ret
   0x7ffff733f432 <__GI_raise+66>:      nop    WORD PTR [rax+rax*1+0x0]
   0x7ffff733f438 <__GI_raise+72>:      test   ecx,ecx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd738 --> 0x7ffff734102a (<__GI_abort+362>:      mov    rdx,QWORD PTR fs:0x10)
0008| 0x7fffffffd740 --> 0x20 (' ')
0016| 0x7fffffffd748 --> 0x0
0024| 0x7fffffffd750 --> 0x0
0032| 0x7fffffffd758 --> 0x0
0040| 0x7fffffffd760 --> 0x0
0048| 0x7fffffffd768 --> 0x0
0056| 0x7fffffffd770 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
0x00007ffff733f428 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0  0x00007ffff733f428 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff734102a in __GI_abort () at abort.c:89
#2  0x00007ffff73817ea in __libc_message (do_abort=0x2, fmt=fmt@entry=0x7ffff749aed8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff738c13e in malloc_printerr (ar_ptr=0x7ffff76ceb20 <main_arena>, ptr=0x610740, str=0x7ffff7497d3f "malloc(): memory corruption", action=<optimized out>) at malloc.c:5006
#4  _int_malloc (av=av@entry=0x7ffff76ceb20 <main_arena>, bytes=bytes@entry=0x40) at malloc.c:3474
#5  0x00007ffff738e184 in __GI___libc_malloc (bytes=0x40) at malloc.c:2913
#6  0x00007ffff7b73542 in _cmsMallocDefaultFn (ContextID=0x4, size=0x40) at ../../cms/src/cmserr.c:97
#7  0x00007ffff7b73921 in _cmsMalloc (ContextID=0x4, size=0x40) at ../../cms/src/cmserr.c:267
#8  0x00007ffff7b73564 in _cmsMallocZeroDefaultFn (ContextID=0x4, size=0x40) at ../../cms/src/cmserr.c:106
#9  0x00007ffff7b7395d in _cmsMallocZero (ContextID=0x4, size=0x40) at ../../cms/src/cmserr.c:274
#10 0x00007ffff7b84f63 in _cmsStageAllocPlaceholder (ContextID=0x4, Type=cmsSigMatrixElemType, InputChannels=0x3, OutputChannels=0x3, EvalPtr=0x7ffff7b85896 <EvaluateMatrix>, DupElemPtr=0x7ffff7b85995 <MatrixElemDup>, FreePtr=0x7ffff7b85a5d <MatrixElemTypeFree>, Data=0x0) at ../../cms/src/cmslut.c:40
#11 0x00007ffff7b85b9c in cmsStageAllocMatrix (ContextID=0x4, Rows=0x3, Cols=0x3, Matrix=0x7ffff7bbe400 <V2ToV4.7436>, Offset=0x0) at ../../cms/src/cmslut.c:394
#12 0x00007ffff7b87501 in _cmsStageAllocLabV2ToV4 (ContextID=0x4) at ../../cms/src/cmslut.c:1030
#13 0x00007ffff7b75ecb in EvalSegmentedFn (g=0x60ee90, R=0) at ../../cms/src/cmsgamma.c:694
#14 0x00007ffff7b78205 in cmsEvalToneCurveFloat (Curve=0x60ee90, v=0) at ../../cms/src/cmsgamma.c:1366
#15 0x00007ffff7b85426 in EvaluateCurves (In=0x7fffffffde60, Out=0x7fffffffe060, mpe=0x60eae0) at ../../cms/src/cmslut.c:182
#16 0x00007ffff7b87c5d in _LUTeval16 (In=0x1390, Out=0x7fffffffe2f0, D=0x0) at ../../cms/src/cmslut.c:1334
#17 0x00007ffff7b97b5e in PrecalculatedXFORM (p=0x60e940, in=0x7ffff4e79010, out=0x60f050, PixelsPerLine=0x1e803d, LineCount=0x1, Stride=0x7fffffffe370) at ../../cms/src/cmsxform.c:411
#18 0x00007ffff7b973f7 in cmsDoTransform (Transform=0x60e940, InputBuffer=0x7ffff4e79010, OutputBuffer=0x60f050, Size=0x1e803d) at ../../cms/src/cmsxform.c:189
#19 0x0000000000402d73 in TileBasedXform (hXForm=0x60e940, in=0x609860, out=0x60a4d0, nPlanes=0x1) at ../../../cms/utils/tificc/tificc.c:408
#20 0x00000000004044db in TransformImage (in=0x609860, out=0x60a4d0, cDefInpProf=0x0) at ../../../cms/utils/tificc/tificc.c:904
#21 0x0000000000404d86 in main (argc=0x3, argv=0x7fffffffe608) at ../../../cms/utils/tificc/tificc.c:1167
#22 0x00007ffff732a830 in __libc_start_main (main=0x404c38 <main>, argc=0x3, argv=0x7fffffffe608, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe5f8) at ../csu/libc-start.c:291
#23 0x0000000000401fe9 in _start ()

10-cms-invalid-read-PackPlanarBytes

gdb --args tificc $POC /tmp/out.tiff
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x70c810
RBX: 0x7ffff5959014 --> 0x0
RCX: 0x100020
RDX: 0x0
RSI: 0x7fffffffe300 --> 0x0
RDI: 0x60c2a0 --> 0x4101900441094
RBP: 0x7fffffffe290 --> 0x7fffffffe340 --> 0x7fffffffe3a0 --> 0x7fffffffe410 --> 0x7fffffffe500 --> 0x7fffffffe530 (--> ...)
RSP: 0x7fffffffe290 --> 0x7fffffffe340 --> 0x7fffffffe3a0 --> 0x7fffffffe410 --> 0x7fffffffe500 --> 0x7fffffffe530 (--> ...)
RIP: 0x7ffff7b9003e (<PackPlanarBytes+167>:     mov    BYTE PTR [rax],dl)
R8 : 0x2ce
R9 : 0x7fffffffe380 --> 0x0
R10: 0x15b
R11: 0x7ffff7b97389 (<cmsDoTransform>:  push   rbp)
R12: 0x60c7f0 --> 0x7ffff76cf100 --> 0x7ffff76cf0e8 --> 0x7ffff76cf0d8 --> 0x7ffff76cf0c8 --> 0x7ffff76cf0b8 (--> ...)
R13: 0x7fffffffe610 --> 0x3
R14: 0x0
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7b90036 <PackPlanarBytes+159>:        not    edx
   0x7ffff7b90038 <PackPlanarBytes+161>:        jmp    0x7ffff7b9003e <PackPlanarBytes+167>
   0x7ffff7b9003a <PackPlanarBytes+163>:        movzx  edx,BYTE PTR [rbp-0x21]
=> 0x7ffff7b9003e <PackPlanarBytes+167>:        mov    BYTE PTR [rax],dl
   0x7ffff7b90040 <PackPlanarBytes+169>:        mov    edx,ecx
   0x7ffff7b90042 <PackPlanarBytes+171>:        add    rax,rdx
   0x7ffff7b90045 <PackPlanarBytes+174>:        add    DWORD PTR [rbp-0x20],0x1
   0x7ffff7b90049 <PackPlanarBytes+178>:        mov    edx,DWORD PTR [rbp-0x20]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe290 --> 0x7fffffffe340 --> 0x7fffffffe3a0 --> 0x7fffffffe410 --> 0x7fffffffe500 --> 0x7fffffffe530 (--> ...)
0008| 0x7fffffffe298 --> 0x7ffff7b97b7f (<PrecalculatedXFORM+322>:      mov    r12,rax)
0016| 0x7fffffffe2a0 --> 0x0
0024| 0x7fffffffe2a8 --> 0x7fffffffe380 --> 0x0
0032| 0x7fffffffe2b0 --> 0x10002000000001
0040| 0x7fffffffe2b8 --> 0x60c7f0 --> 0x7ffff76cf100 --> 0x7ffff76cf0e8 --> 0x7ffff76cf0d8 --> 0x7ffff76cf0c8 (--> ...)
0048| 0x7fffffffe2c0 --> 0x7ffff5959010 --> 0x0
0056| 0x7fffffffe2c8 --> 0x60c2a0 --> 0x4101900441094
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7b9003e in PackPlanarBytes (info=0x60c2a0, wOut=0x7fffffffe300, output=0x70c810 <error: Cannot access memory at address 0x70c810>, Stride=0x100020) at ../../cms/src/cmspack.c:1458
1458            *(cmsUInt8Number*)  output = (cmsUInt8Number) (Reverse ? REVERSE_FLAVOR_8(v) : v);
gdb-peda$ p output
$1 = (cmsUInt8Number *) 0x70c810 <error: Cannot access memory at address 0x70c810>


11-cms-invalid-write-cmsPipelineCheckAndRetreiveStages

gdb --args tificc $POC /tmp/out.tiff
Program received signal SIGILL, Illegal instruction.
[----------------------------------registers-----------------------------------]
RAX: 0x7ffff7b85300 (<cmsPipelineCheckAndRetreiveStages+471>:   test   DWORD PTR [rax],ebp)
RBX: 0x7fffffffe300 --> 0xffff
RCX: 0x7fffffffde70 --> 0x3f800000
RDX: 0x60ea50 --> 0x0
RSI: 0x7fffffffe070 --> 0x3f800000
RDI: 0x7fffffffde70 --> 0x3f800000
RBP: 0x7fffffffe290 --> 0x7fffffffe340 --> 0x7fffffffe3a0 --> 0x7fffffffe410 --> 0x7fffffffe500 --> 0x7fffffffe530 (--> ...)
RSP: 0x7fffffffde48 --> 0x7ffff7b87c5d (<_LUTeval16+197>:       mov    eax,DWORD PTR [rbp-0x434])
RIP: 0x7ffff7b85302 (<cmsPipelineCheckAndRetreiveStages+473>:   (bad))
R8 : 0x2ce
R9 : 0x7fffffffe380 --> 0x0
R10: 0x15b
R11: 0x7ffff7b97389 (<cmsDoTransform>:  push   rbp)
R12: 0x60cc49 --> 0x5afb53fb4bfb44fb
R13: 0x7fffffffe610 --> 0x3
R14: 0x0
R15: 0x0
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
=> 0x7ffff7b85302 <cmsPipelineCheckAndRetreiveStages+473>:      (bad)
   0x7ffff7b85303 <cmsPipelineCheckAndRetreiveStages+474>:      (bad)
   0x7ffff7b85304 <cmsPipelineCheckAndRetreiveStages+475>:      dec    DWORD PTR [rax-0x75]
   0x7ffff7b85307 <cmsPipelineCheckAndRetreiveStages+478>:      xchg   ebp,eax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffde48 --> 0x7ffff7b87c5d (<_LUTeval16+197>:      mov    eax,DWORD PTR [rbp-0x434])
0008| 0x7fffffffde50 --> 0x7ffff7b68410 --> 0x5f6e6f6d675f5f00 ('')
0016| 0x7fffffffde58 --> 0x100000000
0024| 0x7fffffffde60 --> 0x60ea50 --> 0x0
0032| 0x7fffffffde68 --> 0x609ee0 --> 0x60ea50 --> 0x0
0040| 0x7fffffffde70 --> 0x3f800000
0048| 0x7fffffffde78 --> 0x7fff00000000
0056| 0x7fffffffde80 --> 0x7fffffffdf14 --> 0x609c9800000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGILL
0x00007ffff7b85302 in cmsPipelineCheckAndRetreiveStages (Lut=0x608088, n=0x0) at ../../cms/src/cmslut.c:143
143                 *ElemPtr = mpe;
gdb-peda$ bt
#0  0x00007ffff7b85302 in cmsPipelineCheckAndRetreiveStages (Lut=0x608088, n=0x0) at ../../cms/src/cmslut.c:143
#1  0x00007ffff7b97b5e in PrecalculatedXFORM (p=0x60c2a0, in=0x626580, out=0x60c7f0, PixelsPerLine=0x1e20, LineCount=0x1, Stride=0x7fffffffe380) at ../../cms/src/cmsxform.c:411
#2  0x00007ffff7b973f7 in cmsDoTransform (Transform=0x60c2a0, InputBuffer=0x626580, OutputBuffer=0x60c7f0, Size=0x1e20) at ../../cms/src/cmsxform.c:189
#3  0x0000000000402d73 in TileBasedXform (hXForm=0x60c2a0, in=0x609860, out=0x60a480, nPlanes=0x3) at ../../../cms/utils/tificc/tificc.c:408
#4  0x00000000004044db in TransformImage (in=0x609860, out=0x60a480, cDefInpProf=0x0) at ../../../cms/utils/tificc/tificc.c:904
#5  0x0000000000404d86 in main (argc=0x3, argv=0x7fffffffe618) at ../../../cms/utils/tificc/tificc.c:1167
#6  0x00007ffff732a830 in __libc_start_main (main=0x404c38 <main>, argc=0x3, argv=0x7fffffffe618, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe608) at ../csu/libc-start.c:291
#7  0x0000000000401fe9 in _start ()
gdb-peda$ p ElemPtr
$1 = (void **) 0xc0dfff9fe2b9c1c6
gdb-peda$ p *ElemPtr
Cannot access memory at address 0xc0dfff9fe2b9c1c6

12-cms-invalid-access-EvaluateCurves

gdb --args tificc $POC /tmp/out.tiff
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xd54f63cff6bf3700
RBX: 0x7fffffffe320 --> 0xffffffff
RCX: 0x7fffffffde90 --> 0x3f8000003f800000
RDX: 0x8b48108b
RSI: 0x7fffffffe090 --> 0x3f8000003f800000
RDI: 0x7fffffffde90 --> 0x3f8000003f800000
RBP: 0x7fffffffe2b0 --> 0x7fffffffe360 --> 0x7fffffffe3c0 --> 0x7fffffffe430 --> 0x7fffffffe520 --> 0x7fffffffe550 (--> ...)
RSP: 0x7fffffffde68 --> 0x7ffff7b87c5d (<_LUTeval16+197>:       mov    eax,DWORD PTR [rbp-0x434])
RIP: 0x7ffff7b85405 (<EvaluateCurves+143>:      mov    rax,QWORD PTR [rax+0x8])
R8 : 0x2ce
R9 : 0x7fffffffe3a0 --> 0x0
R10: 0x15b
R11: 0x7ffff7b97389 (<cmsDoTransform>:  push   rbp)
R12: 0x60ccc9 --> 0x97fd90fd89fd82fd
R13: 0x7fffffffe630 --> 0x3
R14: 0x0
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7b853fc <EvaluateCurves+134>: add    rax,rdx
   0x7ffff7b853ff <EvaluateCurves+137>: mov    edx,DWORD PTR [rax]
   0x7ffff7b85401 <EvaluateCurves+139>: mov    rax,QWORD PTR [rbp-0x18]
=> 0x7ffff7b85405 <EvaluateCurves+143>: mov    rax,QWORD PTR [rax+0x8]
   0x7ffff7b85409 <EvaluateCurves+147>: mov    ecx,DWORD PTR [rbp-0x1c]
   0x7ffff7b8540c <EvaluateCurves+150>: shl    rcx,0x3
   0x7ffff7b85410 <EvaluateCurves+154>: add    rax,rcx
   0x7ffff7b85413 <EvaluateCurves+157>: mov    rax,QWORD PTR [rax]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffde68 --> 0x7ffff7b87c5d (<_LUTeval16+197>:      mov    eax,DWORD PTR [rbp-0x434])
0008| 0x7fffffffde70 --> 0x7ffff7b68410 --> 0x5f6e6f6d675f5f00 ('')
0016| 0x7fffffffde78 --> 0x100000000
0024| 0x7fffffffde80 --> 0x60ea30 ("&.6>K[k{\227\267\326\367", '\377' <repeats 13 times>, "S\270\367\377\177")
0032| 0x7fffffffde88 --> 0x609ec0 --> 0x60ea30 ("&.6>K[k{\227\267\326\367", '\377' <repeats 13 times>, "S\270\367\377\177")
0040| 0x7fffffffde90 --> 0x3f8000003f800000
0048| 0x7fffffffde98 --> 0x7fff00000000
0056| 0x7fffffffdea0 --> 0x7fffffffdf34 --> 0x609c9800000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7b85405 in EvaluateCurves (In=0x40efffe000000000, Out=0x100000001, mpe=0x1) at ../../cms/src/cmslut.c:182
182             Out[i] = cmsEvalToneCurveFloat(Data ->TheCurves[i], In[i]);
gdb-peda$ p Out
$1 = (cmsFloat32Number *) 0x100000001
gdb-peda$ p Out[i]
Cannot access memory at address 0x100000001


13-cms-null-pointer-FastIdentity16


gdb --args tificc $POC /tmp/out.tiff
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7ffff7fc9a98 --> 0x0
RCX: 0x7fffffffe2e0 --> 0x0
RDX: 0x0
RSI: 0x7fffffffe300 --> 0x0
RDI: 0x7fffffffe2e0 --> 0x0
RBP: 0x7fffffffe290 --> 0x7fffffffe340 --> 0x7fffffffe3a0 --> 0x7fffffffe410 --> 0x7fffffffe500 --> 0x7fffffffe530 (--> ...)
RSP: 0x7fffffffe290 --> 0x7fffffffe340 --> 0x7fffffffe3a0 --> 0x7fffffffe410 --> 0x7fffffffe500 --> 0x7fffffffe530 (--> ...)
RIP: 0x7ffff7bbaa37 (<FastIdentity16+56>:       mov    eax,DWORD PTR [rax+0x8])
R8 : 0x7fffffffe2e0 --> 0x0
R9 : 0x7fffffffe380 --> 0x0
R10: 0x15b
R11: 0x7ffff7b97389 (<cmsDoTransform>:  push   rbp)
R12: 0x615ca3 --> 0x50f849f842f83af8
R13: 0x7fffffffe610 --> 0x3
R14: 0x0
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7bbaa2c <FastIdentity16+45>:  mov    WORD PTR [rdx],ax
   0x7ffff7bbaa2f <FastIdentity16+48>:  add    DWORD PTR [rbp-0xc],0x1
   0x7ffff7bbaa33 <FastIdentity16+52>:  mov    rax,QWORD PTR [rbp-0x8]
=> 0x7ffff7bbaa37 <FastIdentity16+56>:  mov    eax,DWORD PTR [rax+0x8]
   0x7ffff7bbaa3a <FastIdentity16+59>:  cmp    eax,DWORD PTR [rbp-0xc]
   0x7ffff7bbaa3d <FastIdentity16+62>:  ja     0x7ffff7bbaa16 <FastIdentity16+23>
   0x7ffff7bbaa3f <FastIdentity16+64>:  nop
   0x7ffff7bbaa40 <FastIdentity16+65>:  pop    rbp
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe290 --> 0x7fffffffe340 --> 0x7fffffffe3a0 --> 0x7fffffffe410 --> 0x7fffffffe500 --> 0x7fffffffe530 (--> ...)
0008| 0x7fffffffe298 --> 0x7ffff7b97b5e (<PrecalculatedXFORM+289>:      mov    rax,QWORD PTR [rbp-0x78])
0016| 0x7fffffffe2a0 --> 0x0
0024| 0x7fffffffe2a8 --> 0x7fffffffe380 --> 0x0
0032| 0x7fffffffe2b0 --> 0x832000000001
0040| 0x7fffffffe2b8 --> 0x60df60 --> 0x0
0048| 0x7fffffffe2c0 --> 0x7ffff7fba010 --> 0x0
0056| 0x7fffffffe2c8 --> 0x60c2a0 --> 0x4101900041092
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7bbaa37 in FastIdentity16 (In=0x7fffffffe2e0, Out=0x7fffffffe300, D=0x0) at ../../cms/src/cmsopt.c:1371
1371        for (i=0; i < Lut ->InputChannels; i++) 
gdb-peda$ bt
#0  0x00007ffff7bbaa37 in FastIdentity16 (In=0x7fffffffe2e0, Out=0x7fffffffe300, D=0x0) at ../../cms/src/cmsopt.c:1371
#1  0x00007ffff7b97b5e in PrecalculatedXFORM (p=0x60c2a0, in=0x7ffff7fba010, out=0x60df60, PixelsPerLine=0x8320, LineCount=0x1, Stride=0x7fffffffe380) at ../../cms/src/cmsxform.c:411
#2  0x00007ffff7b973f7 in cmsDoTransform (Transform=0x60c2a0, InputBuffer=0x7ffff7fba010, OutputBuffer=0x60df60, Size=0x8320) at ../../cms/src/cmsxform.c:189
#3  0x0000000000402d73 in TileBasedXform (hXForm=0x60c2a0, in=0x609860, out=0x60a480, nPlanes=0x3) at ../../../cms/utils/tificc/tificc.c:408
#4  0x00000000004044db in TransformImage (in=0x609860, out=0x60a480, cDefInpProf=0x0) at ../../../cms/utils/tificc/tificc.c:904
#5  0x0000000000404d86 in main (argc=0x3, argv=0x7fffffffe618) at ../../../cms/utils/tificc/tificc.c:1167
#6  0x00007ffff732a830 in __libc_start_main (main=0x404c38 <main>, argc=0x3, argv=0x7fffffffe618, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe608) at ../csu/libc-start.c:291
#7  0x0000000000401fe9 in _start ()
gdb-peda$ p Lut
$1 = (cmsPipeline *) 0x0


14-cms-invalid-access-Unroll1ByteReversed


gdb --args tificc $POC /tmp/out.tiff
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x7ffff7b8e600 (<Unroll1ByteReversed+28>:  mov    r8d,edi)
RBX: 0x6166ee --> 0x882588158805168e
RCX: 0x1810
RDX: 0x168e
RSI: 0x168e
RDI: 0xff9f168e
RBP: 0x7fffffffe340 --> 0x7fffffffe3a0 --> 0x7fffffffe410 --> 0x7fffffffe500 --> 0x7fffffffe530 --> 0x405ad0 (<__libc_csu_init>:        push   r15)
RSP: 0x7fffffffe298 --> 0x7ffff7b97b36 (<PrecalculatedXFORM+249>:       mov    rbx,rax)
RIP: 0x7ffff7b8e61b (<Unroll1ByteReversed+55>:  mov    WORD PTR [rcx],dx)
R8 : 0x60e930 --> 0x87870087870087
R9 : 0x7fffffffe380 --> 0x0
R10: 0x15b
R11: 0x7ffff7b97389 (<cmsDoTransform>:  push   rbp)
R12: 0x60e941 --> 0xee00007ffff7b8e6
R13: 0x7fffffffe610 --> 0x3
R14: 0x0
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7b8e612 <Unroll1ByteReversed+46>:     movzx  esi,WORD PTR [rsi]
   0x7ffff7b8e615 <Unroll1ByteReversed+49>:     mov    WORD PTR [rdx],si
   0x7ffff7b8e618 <Unroll1ByteReversed+52>:     movzx  edx,WORD PTR [rdx]
=> 0x7ffff7b8e61b <Unroll1ByteReversed+55>:     mov    WORD PTR [rcx],dx
   0x7ffff7b8e61e <Unroll1ByteReversed+58>:     add    rax,0x1
   0x7ffff7b8e622 <Unroll1ByteReversed+62>:     pop    rbp
   0x7ffff7b8e623 <Unroll1ByteReversed+63>:     ret
   0x7ffff7b8e624 <UnrollAnyWords>:     push   rbp
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe298 --> 0x7ffff7b97b36 (<PrecalculatedXFORM+249>:      mov    rbx,rax)
0008| 0x7fffffffe2a0 --> 0x0
0016| 0x7fffffffe2a8 --> 0x7fffffffe380 --> 0x0
0024| 0x7fffffffe2b0 --> 0x181000000001
0032| 0x7fffffffe2b8 --> 0x60ade0 --> 0x7f00f20000f6f2
0040| 0x7fffffffe2c0 --> 0x60f040 --> 0x7ffff76cf2e8 --> 0x7ffff76cf2d8 --> 0x7ffff76cf2c8 --> 0x7ffff76cf2b8 (--> ...)
0048| 0x7fffffffe2c8 --> 0x60e930 --> 0x87870087870087
0056| 0x7fffffffe2d0 --> 0x13cb00000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7b8e61b in Unroll1ByteReversed (info=0xff9f168e, wIn=0x1810, accum=0x7ffff7b8e600 <Unroll1ByteReversed+28> "A\211\370\017\266\070@\017\266\377D\t\307\367\327f\211>\017\267\066f\211\062\017\267\022f\211\021H\203\300\001]\303UH\211\345ATSH\203\354\060H\211\370I\211\364H\211\323\213\020\301\352\003\203\342\017\211U\320\213\020\301\352\v\203\342\001\211U\324\213\020\301\352\n\203\342\001\211U\330\213\020\301\352\r\203\342\001\211U\334\213\020\301\352\016\203\342\001\211U\340\213", Stride=0x1810) at ../../cms/src/cmspack.c:462
462         wIn[0] = wIn[1] = wIn[2] = REVERSE_FLAVOR_16(FROM_8_TO_16(*accum)); accum++;     // L *)
gdb-peda$ bt
#0  0x00007ffff7b8e61b in Unroll1ByteReversed (info=0xff9f168e, wIn=0x1810, accum=0x7ffff7b8e600 <Unroll1ByteReversed+28> "A\211\370\017\266\070@\017\266\377D\t\307\367\327f\211>\017\267\066f\211\062\017\267\022f\211\021H\203\300\001]\303UH\211\345ATSH\203\354\060H\211\370I\211\364H\211\323\213\020\301\352\003\203\342\017\211U\320\213\020\301\352\v\203\342\001\211U\324\213\020\301\352\n\203\342\001\211U\330\213\020\301\352\r\203\342\001\211U\334\213\020\301\352\016\203\342\001\211U\340\213", Stride=0x1810) at ../../cms/src/cmspack.c:462
#1  0x00007ffff7b973f7 in cmsDoTransform (Transform=0x60e930, InputBuffer=0x60f040, OutputBuffer=0x60ade0, Size=0x1810) at ../../cms/src/cmsxform.c:189
#2  0x0000000000402d73 in TileBasedXform (hXForm=0x60e930, in=0x609860, out=0x60a4c0, nPlanes=0x1) at ../../../cms/utils/tificc/tificc.c:408
#3  0x00000000004044db in TransformImage (in=0x609860, out=0x60a4c0, cDefInpProf=0x0) at ../../../cms/utils/tificc/tificc.c:904
#4  0x0000000000404d86 in main (argc=0x3, argv=0x7fffffffe618) at ../../../cms/utils/tificc/tificc.c:1167
#5  0x00007ffff732a830 in __libc_start_main (main=0x404c38 <main>, argc=0x3, argv=0x7fffffffe618, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe608) at ../csu/libc-start.c:291
#6  0x0000000000401fe9 in _start ()
gdb-peda$ p wIn[0]
Cannot access memory at address 0x1810

15-cms-null-pointer-UnrollAnyWords

gdb --args tificc $POC /tmp/out.tiff
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x7ffff7b8e6c3 (<UnrollAnyWords+159>:      or     BYTE PTR [rbx+0x148ec45],cl)
RBX: 0x62577e --> 0xc45cc452c448c43e
RCX: 0x2e10
RDX: 0x62577e --> 0xc45cc452c448c43e
RSI: 0x7fffffffe2e0 --> 0xc402c3f8c3eec3e4
RDI: 0x60e930 --> 0xc2c2c2c2c2c200c2
RBP: 0x7fffffffe340 --> 0x7fffffffe3a0 --> 0x7fffffffe410 --> 0x7fffffffe500 --> 0x7fffffffe530 --> 0x405ad0 (<__libc_csu_init>:        push   r15)
RSP: 0x7fffffffe298 --> 0x7ffff7b97b36 (<PrecalculatedXFORM+249>:       mov    rbx,rax)
RIP: 0x7ffff7b8e6c3 (<UnrollAnyWords+159>:      or     BYTE PTR [rbx+0x148ec45],cl)
R8 : 0x1
R9 : 0x7fffffffe380 --> 0x0
R10: 0x15b
R11: 0x7ffff7b97389 (<cmsDoTransform>:  push   rbp)
R12: 0x60e941 --> 0xee00007ffff7b8e6
R13: 0x7fffffffe610 --> 0x3
R14: 0x0
R15: 0x0
EFLAGS: 0x10287 (CARRY PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
=> 0x7ffff7b8e6c3 <UnrollAnyWords+159>: or     BYTE PTR [rbx+0x148ec45],cl
   0x7ffff7b8e6c9 <UnrollAnyWords+165>: ror    BYTE PTR [rcx-0x73],0x14
   0x7ffff7b8e6cd <UnrollAnyWords+169>: add    al,0x83
   0x7ffff7b8e6cf <UnrollAnyWords+171>: jge    0x7ffff7b8e6ad <UnrollAnyWords+137>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe298 --> 0x7ffff7b97b36 (<PrecalculatedXFORM+249>:      mov    rbx,rax)
0008| 0x7fffffffe2a0 --> 0x0
0016| 0x7fffffffe2a8 --> 0x7fffffffe380 --> 0x0
0024| 0x7fffffffe2b0 --> 0x2e1000000001
0032| 0x7fffffffe2b8 --> 0x60ade0 --> 0xeb000000e7
0040| 0x7fffffffe2c0 --> 0x61e080 --> 0x60e7f0 --> 0xb500b5b500b5b500
0048| 0x7fffffffe2c8 --> 0x60e930 --> 0xc2c2c2c2c2c200c2
0056| 0x7fffffffe2d0 --> 0x13cb00000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7b8e6c3 in UnrollAnyWords (info=0x7ffff7b8e6c3 <UnrollAnyWords+159>, wIn=0x60e941, accum=0x62577e ">\304H\304R\304\\\304e\304o\304y\304\203\304\215\304\227\304\241\304\253\304\265\304\277\304\311\304\323\304\335\304\347\304\361\304\373\304\005\305\017\305\031\305#\305,\305\066\305@\305J\305T\305^\305h\305r\305|\305\206\305\220\305\231\305\243\305\255\305\267\305\301\305\313\305\325\305\337\305\351\305\362\305\374\305\006\306\020\306\032\306$\306.\306\067\306A\306K\306U\306_\306i\306s\306|\306\206\306\220\306\232\306\244\306\256\306\267\306\301\306\313\306\325\306\337\306\350\306\362\306\374\306\006\307\020\307\031\307#\307-\307\067\307A\307J\307T\307^\307h\307r\307{\307\205\307\217\307\231\307\242\307\254\307\266\307\300\307\311\307\323\307\335\307\347\307\360\307\372\307\004\310\016\310"..., Stride=0x2e10) at ../../cms/src/cmspack.c:496
496                 v = CHANGE_ENDIAN(v);
gdb-peda$ bt
#0  0x00007ffff7b8e6c3 in UnrollAnyWords (info=0x7ffff7b8e6c3 <UnrollAnyWords+159>, wIn=0x60e941, accum=0x62577e ">\304H\304R\304\\\304e\304o\304y\304\203\304\215\304\227\304\241\304\253\304\265\304\277\304\311\304\323\304\335\304\347\304\361\304\373\304\005\305\017\305\031\305#\305,\305\066\305@\305J\305T\305^\305h\305r\305|\305\206\305\220\305\231\305\243\305\255\305\267\305\301\305\313\305\325\305\337\305\351\305\362\305\374\305\006\306\020\306\032\306$\306.\306\067\306A\306K\306U\306_\306i\306s\306|\306\206\306\220\306\232\306\244\306\256\306\267\306\301\306\313\306\325\306\337\306\350\306\362\306\374\306\006\307\020\307\031\307#\307-\307\067\307A\307J\307T\307^\307h\307r\307{\307\205\307\217\307\231\307\242\307\254\307\266\307\300\307\311\307\323\307\335\307\347\307\360\307\372\307\004\310\016\310"..., Stride=0x2e10) at ../../cms/src/cmspack.c:496
#1  0x00007ffff7b973f7 in cmsDoTransform (Transform=0x60e930, InputBuffer=0x61e080, OutputBuffer=0x60ade0, Size=0x2e10) at ../../cms/src/cmsxform.c:189
#2  0x0000000000402d73 in TileBasedXform (hXForm=0x60e930, in=0x609860, out=0x60a4c0, nPlanes=0x1) at ../../../cms/utils/tificc/tificc.c:408
#3  0x00000000004044db in TransformImage (in=0x609860, out=0x60a4c0, cDefInpProf=0x0) at ../../../cms/utils/tificc/tificc.c:904
#4  0x0000000000404d86 in main (argc=0x3, argv=0x7fffffffe618) at ../../../cms/utils/tificc/tificc.c:1167
#5  0x00007ffff732a830 in __libc_start_main (main=0x404c38 <main>, argc=0x3, argv=0x7fffffffe618, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe608) at ../csu/libc-start.c:291
#6  0x0000000000401fe9 in _start ()
gdb-peda$ p v
$1 = 0x0