SIO in `bool parse3DTable()` at iccFromCube.cpp#L218

[xsscx]

Maintainer Repro

2026-02-20 11:52:37 UTC

Summary

SIO in bool parse3DTable() at iccFromCube.cpp#L218 reported by @sy460129

PoC Replay

Requirement: Reproduction with Project Tool using Sanitizers.

Step 1. iccFromCube input.icc output.icc

PoC Expected Output

Tools/CmdLine/IccFromCube/iccFromCube.cpp:218:38: runtime error: signed integer overflow: -1156317184 * -1156317184 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior Tools/CmdLine/IccFromCube/iccFromCube.cpp:218:38

CVSS

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5.5 (Medium)

CWE

CWE-190
CWE-681

Rationale: local execution of the tool triggers UB and can crash (A:H), but no demonstrated confidentiality/integrity impact.

Host

Linux 6.6.87.2-microsoft-standard-WSL2 #1 SMP PREEMPT_DYNAMIC Thu Jun  5 18:30:46 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Source Tested

8cfeaec (HEAD -> master, origin/master, origin/HEAD) Add: Dockerfiles & Workflows (#597)

Build

export CXX=clang++
git clone https://github.com/InternationalColorConsortium/iccDEV.git
cd iccDEV/Build
git checkout 8cfeaec
sudo apt install -y libpng-dev libjpeg-dev libwxgtk3.2-dev libwxgtk-{media,webview}3.2-dev wx-common wx3.2-headers libtiff6 curl git make cmake clang clang-tools libxml2{-dev,} nlohmann-json3-dev build-essential
CC=clang CXX=clang++ cmake Cmake -DCMAKE_BUILD_TYPE=Debug -Wno-dev -DCMAKE_CXX_FLAGS="-g3 -O1 -Wall -Wextra -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize=address,undefined -fno-sanitize-recover=address,undefined"
make -j$(nproc)

PoC: wget https://github.com/xsscx/fuzz/raw/refs/heads/master/graphics/icc/ub_sio_parse3Dtable-IccFromCube_cpp-Line218.icc

ub_sio_parse3Dtable-IccFromCube_cpp-Line218.icc.txt

[xsscx]

Maintainer Note

This issue was initially opened as a potential Security Issue but this is just a logic bug and should be opened as an Issue.

[xsscx]

Maintainer Patch

2026-02-20 13:14:47 UTC

Patch to be Fuzzed on cfl branch may aid Developers:

diff --git a/Tools/CmdLine/IccFromCube/iccFromCube.cpp b/Tools/CmdLine/IccFromCube/iccFromCube.cpp
index 2cf234c..9b7699c 100644
--- a/Tools/CmdLine/IccFromCube/iccFromCube.cpp
+++ b/Tools/CmdLine/IccFromCube/iccFromCube.cpp
@@ -215,10 +215,13 @@ public:
   int sizeLut3D() { return m_sizeLut3D; }
   bool parse3DTable(icFloatNumber* toLut, icUInt32Number nSizeLut)
   {
-    icUInt32Number num = m_sizeLut3D * m_sizeLut3D * m_sizeLut3D;
+    if (m_sizeLut3D <= 0)
+      return false;
+
+    icUInt32Number size = (icUInt32Number)m_sizeLut3D;
+    icUInt32Number num = size * size * size;

-    //
-    if (!m_sizeLut3D || nSizeLut != num*3)
+    if (nSizeLut != num * 3)
       return false;

     const char* next;

[xsscx]

Maintainer Note

2026-02-20 13:21:05 UTC

Hi @sy460129

Thank you for the Reports. A few datapoints below.

Maintainers published the CFL & libFuzzer Campaign Code at URL https://github.com/InternationalColorConsortium/iccDEV/tree/cfl/Testing/Fuzzing/src.

Maintainers are Fuzzing iccDEV with Burp Suite, CFL & libFuzzer, AFL ... and all the usual Tooling.

Fuzzers attempt to maintain fidelity with the project tooling using Call Graphs & AST from the Tools, iccToXml, iccFromXml etc...

All potential Bugs need to Reproduce using project tooling, that is key point for anyone looking for bugs.

The bugs fixed result with the Fuzzers needing a re-write to find more Bugs.

The current dictionary is up to date with the Patch Kit.

Patches should be added to cfl branch for Testing.

Please do Post any Questions.

Thank You for the Bug Reports!

[xsscx]

Profile Insight

2026-02-20 14:29:58 UTC

=======================================================================
HEADER VALIDATION HEURISTICS
=======================================================================

[H1] Profile Size: 1414091852 bytes (0x5449544C)  [actual file: 258 bytes]
     [WARN]  HEURISTIC: Profile size > 1 GiB (possible memory exhaustion)
     Risk: Resource exhaustion attack
     [WARN]  HEURISTIC: Header claims 1414091852 bytes but file is 258 bytes (5480976x inflation)
     Risk: OOM via tag-internal allocations sized from inflated header

[H2] Magic Bytes (offset 0x24): 30 30 30 30 (0000)
     [WARN]  HEURISTIC: Invalid magic bytes (expected "acsp")
     Risk: Not a valid ICC profile, possible format confusion attack

[H3] Data ColorSpace: 0x4C555422 (LUT")
ICC_DEBUG: [iccDEV/IccProfLib/IccSignatureUtils.h:288] IsValidColorSpaceSignature(): input = 0x4c555422 (Unknown)
ICC_WARN: [iccDEV/IccProfLib/IccSignatureUtils.h:311] IccSignatureUtils.h: ColorSpace signature: 0x4c555422 (Unknown)
ICC_DEBUG: [iccDEV/IccProfLib/IccSignatureUtils.h:288] IsValidColorSpaceSignature(): input = 0x4c555422 (Unknown)
ICC_WARN: [iccDEV/IccProfLib/IccSignatureUtils.h:311] IccSignatureUtils.h: ColorSpace signature: 0x4c555422 (Unknown)
     [WARN]  HEURISTIC: Unknown/invalid colorSpace signature
     Risk: Parser may not handle unknown values safely
     Name: Unknown  Bytes: 'LUT"'

[H4] PCS ColorSpace: 0x0A4C5554 (.LUT)
ICC_DEBUG: [iccDEV/IccProfLib/IccSignatureUtils.h:288] IsValidColorSpaceSignature(): input = 0x0a4c5554 (Unknown)
ICC_WARN: [iccDEV/IccProfLib/IccSignatureUtils.h:311] IccSignatureUtils.h: ColorSpace signature: 0x0a4c5554 (Unknown)
     [WARN]  HEURISTIC: Invalid PCS signature (must be Lab, XYZ, or spectral)
     Risk: Colorimetric transform failures
     Name: Unknown  Bytes: '
LUT'

[H5] Platform: 0x30303030 (0000)
     [WARN]  HEURISTIC: Unknown platform signature
     Risk: Platform-specific code path exploitation

[H6] Rendering Intent: 705301002 (0x2A0A0A0A)
     [WARN]  HEURISTIC: Invalid rendering intent (> 3)
     Risk: Out-of-bounds enum access

[H7] Profile Class: 0x69747920 (ity )
     [OK] Known class: Unknown 'ity ' = 69747920

[H8] Illuminant XYZ: (2655.325439, 23109.125000, 12334.187500)
     [WARN]  HEURISTIC: Illuminant values > 5.0 (suspicious)
     Risk: Floating-point overflow in transforms

[H15] Date Validation: 24371-17503-21321 23109:8242:12336
      [WARN]  HEURISTIC: Invalid month: 17503
      [WARN]  HEURISTIC: Invalid day: 21321
      [WARN]  HEURISTIC: Invalid hours: 23109
      [WARN]  HEURISTIC: Invalid minutes: 8242
      [WARN]  HEURISTIC: Invalid seconds: 12336
      [WARN]  HEURISTIC: Suspicious year: 24371 (expected 1900-2100)
      Risk: Malformed date may indicate crafted/corrupted profile

[H16] Signature Pattern Analysis
      [WARN]  platform: 0x30303030 repeat-byte pattern (fuzz artifact?)
      Risk: 1 repeat-byte signature(s) — likely crafted/fuzzed profile

[H17] Spectral Range Validation
      Spectral: start=0.01nm end=0.10nm steps=2608
      BiSpectral: start=0.00nm end=0.10nm steps=8202

[xsscx]

Maintainer Comments

2026-02-21 12:58:51 UTC

Hello @sy460129

Nice work on firing up a Fuzzer for iccFromCube, Keep Going!! There may be a few more bugs to Report.

Open a new Issue if you find anything.. Poc and Crash snip is all, use the writeup on your blog, anytime.

Maintainers will land a Patch to Test. Once a Patch is Merged the Maintainers will request CVE.

The Merge Cycle has slowed now that all Patches are being Fuzzed prior to Merge.

Soft Timeline of 0-60 days for a Report->Patch->Test->Pr->Merge Lifecycle.

Thank you again for your Reports.

[ChrisCoxArt]

IccFromCube probably has some other rough edges.
Looks like the CUBE parsing was tested on known good files, and not much else.