Skip to content

HUAF in CIccCmm::AddXform() at IccCmm.cpp:8320 #612

New issue
New issue
Closed
Report
1 of 1 issue completed
#616
Closed
HUAF in CIccCmm::AddXform() at IccCmm.cpp:8320#612
Report
1 of 1 issue completed
#616
Assignees
ChrisCoxArt
Labels
BugBug ReportTriagedMaintainer indicates triaged status and ready for developer handofflibFuzzerlibFuzzer Related
@xsscx

Description

@xsscx
xsscx
opened on Feb 23, 2026

Maintainer Repro

2026-02-23 14:28:16 UTC

Git Testing

8cfeaec (HEAD -> master, origin/master, origin/HEAD) Add: Dockerfiles & Workflows (Add: Dockerfiles for Packages #597)
43ae18d (HEAD -> master, origin/master, origin/HEAD) Fix: SIO in bool parse3DTable() (#611)

Step 1. wget https://github.com/xsscx/fuzz/raw/refs/heads/master/graphics/tif/test_8x8.tif

Step 2. wget https://github.com/xsscx/fuzz/raw/refs/heads/master/graphics/icc/huaf-CIccCmm-AddXform-IccCmm_cpp-Line8320.icc

Step 3. iccApplyProfiles test_8x8.tif /tmp/out.tif 2 1 0 0 0 huaf-CIccCmm-AddXform-IccCmm_cpp-Line8320.icc 0

PoC Expected Output

/home/h02332/po/research/iccdev/IccProfLib/IccCmm.cpp:8320:17: runtime error: member access within address 0x511000000180 which does not point to an object of type 'CIccProfile'
0x511000000180: note: object has invalid vptr
 00 00 00 00  dc 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/h02332/po/research/iccdev/IccProfLib/IccCmm.cpp:8320:17
=================================================================
==33374==ERROR: AddressSanitizer: heap-use-after-free on address 0x511000000194 at pc 0x7861eab59f5e bp 0x7ffe7f2b72b0 sp 0x7ffe7f2b72a8
READ of size 4 at 0x511000000194 thread T0
    #0 0x7861eab59f5d in CIccCmm::AddXform(CIccProfile*, icRenderingIntent, icXformInterp, IIccProfileConnectionConditions*, icXformLutType, bool, CIccCreateXformHintManager*) /home/h02332/po/research/iccdev/IccProfLib/IccCmm.cpp:8320:26
    #1 0x7861eab52565 in CIccCmm::AddXform(char const*, icRenderingIntent, icXformInterp, IIccProfileConnectionConditions*, icXformLutType, bool, CIccCreateXformHintManager*, bool) /home/h02332/po/research/iccdev/IccProfLib/IccCmm.cpp:8045:20
    #2 0x57d465b44589 in main /home/h02332/po/research/iccdev/Tools/CmdLine/IccApplyProfiles/iccApplyProfiles.cpp:334:18
    #3 0x7861e9e2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #4 0x7861e9e2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #5 0x57d465a63ae4 in _start (/home/h02332/po/research/iccdev/Build/Tools/IccApplyProfiles/iccApplyProfiles+0x128ae4) (BuildId: c620da231ddde20f84bc611f36f21e7ced68f9c5)

0x511000000194 is located 20 bytes inside of 208-byte region [0x511000000180,0x511000000250)
freed by thread T0 here:
    #0 0x57d465b3d7d1 in operator delete(void*) (/home/h02332/po/research/iccdev/Build/Tools/IccApplyProfiles/iccApplyProfiles+0x2027d1) (BuildId: c620da231ddde20f84bc611f36f21e7ced68f9c5)
    #1 0x7861eade8611 in CIccProfile::~CIccProfile() /home/h02332/po/research/iccdev/IccProfLib/IccProfile.cpp:241:1
    #2 0x7861eaa7334c in CIccXform::Create(CIccProfile*, bool, icRenderingIntent, icXformInterp, IIccProfileConnectionConditions*, icXformLutType, bool, CIccCreateXformHintManager*) /home/h02332/po/research/iccdev/IccProfLib/IccCmm.cpp:546:5
    #3 0x7861eab59d70 in CIccCmm::AddXform(CIccProfile*, icRenderingIntent, icXformInterp, IIccProfileConnectionConditions*, icXformLutType, bool, CIccCreateXformHintManager*) /home/h02332/po/research/iccdev/IccProfLib/IccCmm.cpp:8314:15
    #4 0x7861eab52565 in CIccCmm::AddXform(char const*, icRenderingIntent, icXformInterp, IIccProfileConnectionConditions*, icXformLutType, bool, CIccCreateXformHintManager*, bool) /home/h02332/po/research/iccdev/IccProfLib/IccCmm.cpp:8045:20
    #5 0x57d465b44589 in main /home/h02332/po/research/iccdev/Tools/CmdLine/IccApplyProfiles/iccApplyProfiles.cpp:334:18
    #6 0x7861e9e2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #7 0x7861e9e2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #8 0x57d465a63ae4 in _start (/home/h02332/po/research/iccdev/Build/Tools/IccApplyProfiles/iccApplyProfiles+0x128ae4) (BuildId: c620da231ddde20f84bc611f36f21e7ced68f9c5)

previously allocated by thread T0 here:
    #0 0x57d465b3cf51 in operator new(unsigned long) (/home/h02332/po/research/iccdev/Build/Tools/IccApplyProfiles/iccApplyProfiles+0x201f51) (BuildId: c620da231ddde20f84bc611f36f21e7ced68f9c5)
    #1 0x7861eae371cc in OpenIccProfile(char const*, bool) /home/h02332/po/research/iccdev/IccProfLib/IccProfile.cpp:3559:23
    #2 0x7861eab52344 in CIccCmm::AddXform(char const*, icRenderingIntent, icXformInterp, IIccProfileConnectionConditions*, icXformLutType, bool, CIccCreateXformHintManager*, bool) /home/h02332/po/research/iccdev/IccProfLib/IccCmm.cpp:8040:27
    #3 0x57d465b44589 in main /home/h02332/po/research/iccdev/Tools/CmdLine/IccApplyProfiles/iccApplyProfiles.cpp:334:18
    #4 0x7861e9e2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #5 0x7861e9e2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #6 0x57d465a63ae4 in _start (/home/h02332/po/research/iccdev/Build/Tools/IccApplyProfiles/iccApplyProfiles+0x128ae4) (BuildId: c620da231ddde20f84bc611f36f21e7ced68f9c5)

SUMMARY: AddressSanitizer: heap-use-after-free /home/h02332/po/research/iccdev/IccProfLib/IccCmm.cpp:8320:26 in CIccCmm::AddXform(CIccProfile*, icRenderingIntent, icXformInterp, IIccProfileConnectionConditions*, icXformLutType, bool, CIccCreateXformHintManager*)
Shadow bytes around the buggy address:
  0x510fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x510fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x511000000000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x511000000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x511000000100: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x511000000180: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x511000000200: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x511000000280: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x511000000300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x511000000380: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x511000000400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==33374==ABORTING

Sub-issues

Metadata

Metadata

Assignees

Labels

BugBug ReportTriagedMaintainer indicates triaged status and ready for developer handofflibFuzzerlibFuzzer Related

Type

Report

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions