HBO in CIccCLUT::Interp3d() at IccTagLut.cpp:2721

[xsscx]

Maintainer Repro

2026-02-24 23:49:09 UTC

(#620) Retest

2026-02-25 02:31:33 UTC

Status

186bba0 (HEAD -> master, origin/master, origin/HEAD) Fix: HBO in CIccCalculatorFunc::InitSelectOp() (#622)

Reconfirmed

Step 1. wget https://github.com/xsscx/fuzz/raw/refs/heads/master/graphics/icc/npd-CIccMpeCalculator-GetNewApply-IccMpeCalc_cpp-Line4929.icc

Step 2. printf "'RGB '\nicEncodeFloat\n0.5 0.5 0.5\n" | iccApplyNamedCmm /dev/stdin 3 0 npd-CIccMpeCalculator-GetNewApply-IccMpeCalc_cpp-Line4929.icc 0

PoC Output

[2026-02-25 02:30:19 UTC] ~/head/iccDEV/Build (master)$ git show --no-patch --oneline
186bba0 (HEAD -> master, origin/master, origin/HEAD) Fix: HBO in CIccCalculatorFunc::InitSelectOp() (#622)
[2026-02-25 02:30:28 UTC] ~/head/iccDEV/Build (master)$ printf "'RGB '\nicEncodeFloat\n0.5 0.5 0.5\n" | Tools/IccApplyNamedCmm/iccApplyNamedCmm /dev/stdin 3 0 npd-CIccMpeCalculator-GetNewApply-IccMpeCalc_cpp-Line4929.icc 0
IccProfLib/IccTagLut.cpp:2682:39: runtime error: -16 is outside the range of representable values of type 'unsigned int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior IccProfLib/IccTagLut.cpp:2682:39
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2404==ERROR: AddressSanitizer: SEGV on unknown address 0x5083ffffff6c (pc 0x733e7a0921a3 bp 0x7fff474e0c50 sp 0x7fff474e07c0 T0)
==2404==The signal is caused by a READ memory access.
SCARINESS: 20 (wild-addr-read)
    #0 0x733e7a0921a3 in CIccCLUT::Interp3d(float*, float const*) const IccProfLib/IccTagLut.cpp:2721:10
    #1 0x733e79ccb567 in CIccMpeCLUT::Apply(CIccApplyMpe*, float*, float const*) const IccProfLib/IccMpeBasic.cpp:5710:12
    #2 0x733e79d5b249 in CIccApplyMpe::Apply(float*, float const*) IccProfLib/IccTagMPE.h:209:84
    #3 0x733e79d5af09 in CIccSubCalcApply::Apply(float*, float const*) IccProfLib/IccMpeCalc.h:434:99
    #4 0x733e79d5a646 in CIccOpDefSubElement::Exec(SIccCalcOp*, SIccOpState&) IccProfLib/IccMpeCalc.cpp:377:17
    #5 0x733e79d2aa51 in CIccCalculatorFunc::ApplySequence(CIccApplyMpeCalculator*, unsigned int, SIccCalcOp*) const IccProfLib/IccMpeCalc.cpp:3803:21
    #6 0x733e79d2b080 in CIccCalculatorFunc::Apply(CIccApplyMpeCalculator*) const IccProfLib/IccMpeCalc.cpp:3830:8
    #7 0x733e79d449f7 in CIccMpeCalculator::Apply(CIccApplyMpe*, float*, float const*) const IccProfLib/IccMpeCalc.cpp:4973:24
    #8 0x733e79d5b249 in CIccApplyMpe::Apply(float*, float const*) IccProfLib/IccTagMPE.h:209:84
    #9 0x733e7a116d74 in CIccTagMultiProcessElement::Apply(CIccApplyTagMpe*, float*, float const*) const IccProfLib/IccTagMPE.cpp:1475:15
    #10 0x733e79b4b33c in CIccXformMpe::Apply(CIccApplyXform*, float*, float const*) const IccProfLib/IccCmm.cpp:7613:9
    #11 0x733e79b7cb4b in CIccApplyNamedColorCmm::Apply(float*, float const*) IccProfLib/IccCmm.cpp:9952:18
    #12 0x733e79b6c045 in CIccCmm::Apply(float*, float const*) IccProfLib/IccCmm.cpp:8855:20
    #13 0x59226edae102 in CIccNamedColorCmm::Apply(float*, float const*) Build/Cmake/../../IccProfLib/IccCmm.h:1841:95
    #14 0x59226eda52c5 in main Tools/CmdLine/IccApplyNamedCmm/iccApplyNamedCmm.cpp:536:30
    #15 0x733e78c2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #16 0x733e78c2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #17 0x59226ecc1a24 in _start (Build/Tools/IccApplyNamedCmm/iccApplyNamedCmm+0x12da24) (BuildId: d648150d1c66b17f7b5d47cab5fb6c69c5652efa)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV IccProfLib/IccTagLut.cpp:2721:10 in CIccCLUT::Interp3d(float*, float const*) const
==2404==ABORTING

Second Repro

[2026-02-25 19:12:55 UTC] ~/po/research (main)$ iccDEV/Build/Tools/IccRoundTrip/iccRoundTrip  /tmp/fuzz-ramdisk/crash-8d23aa67aa3775b72b154a75c9592696b6abff1b
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3308==ERROR: AddressSanitizer: SEGV on unknown address 0x50800124e848 (pc 0x7842ccc92183 bp 0x7fff50efba90 sp 0x7fff50efb600 T0)
==3308==The signal is caused by a READ memory access.
    #0 0x7842ccc92183 in CIccCLUT::Interp3d(float*, float const*) const /home/h02332/po/research/iccDEV/IccProfLib/IccTagLut.cpp:2721:10
    #1 0x7842cc8cb567 in CIccMpeCLUT::Apply(CIccApplyMpe*, float*, float const*) const /home/h02332/po/research/iccDEV/IccProfLib/IccMpeBasic.cpp:5710:12
    #2 0x7842cc95b229 in CIccApplyMpe::Apply(float*, float const*) /home/h02332/po/research/iccDEV/IccProfLib/IccTagMPE.h:209:84
    #3 0x7842cc95aee9 in CIccSubCalcApply::Apply(float*, float const*) /home/h02332/po/research/iccDEV/IccProfLib/IccMpeCalc.h:434:99
    #4 0x7842cc95a626 in CIccOpDefSubElement::Exec(SIccCalcOp*, SIccOpState&) /home/h02332/po/research/iccDEV/IccProfLib/IccMpeCalc.cpp:377:17
    #5 0x7842cc92aa31 in CIccCalculatorFunc::ApplySequence(CIccApplyMpeCalculator*, unsigned int, SIccCalcOp*) const /home/h02332/po/research/iccDEV/IccProfLib/IccMpeCalc.cpp:3801:21
    #6 0x7842cc92b060 in CIccCalculatorFunc::Apply(CIccApplyMpeCalculator*) const /home/h02332/po/research/iccDEV/IccProfLib/IccMpeCalc.cpp:3828:8
    #7 0x7842cc9449d7 in CIccMpeCalculator::Apply(CIccApplyMpe*, float*, float const*) const /home/h02332/po/research/iccDEV/IccProfLib/IccMpeCalc.cpp:4971:24
    #8 0x7842cc95b229 in CIccApplyMpe::Apply(float*, float const*) /home/h02332/po/research/iccDEV/IccProfLib/IccTagMPE.h:209:84
    #9 0x7842ccd16d54 in CIccTagMultiProcessElement::Apply(CIccApplyTagMpe*, float*, float const*) const /home/h02332/po/research/iccDEV/IccProfLib/IccTagMPE.cpp:1475:15
    #10 0x7842cc74b33c in CIccXformMpe::Apply(CIccApplyXform*, float*, float const*) const /home/h02332/po/research/iccDEV/IccProfLib/IccCmm.cpp:7613:9
    #11 0x7842cc7a15b9 in CIccApplyXform::Apply(float*, float const*) /home/h02332/po/research/iccDEV/IccProfLib/IccCmm.h:526:91
    #12 0x7842cc74ebc0 in CIccApplyCmm::Apply(float*, float const*) /home/h02332/po/research/iccDEV/IccProfLib/IccCmm.cpp:7799:15
    #13 0x7842cc76c045 in CIccCmm::Apply(float*, float const*) /home/h02332/po/research/iccDEV/IccProfLib/IccCmm.cpp:8855:20
    #14 0x7842cc7fc633 in CIccEvalCompare::EvaluateProfile(CIccProfile*, unsigned char, icRenderingIntent, icXformInterp, bool) /home/h02332/po/research/iccDEV/IccProfLib/IccEval.cpp:182:13
    #15 0x7842cc7fcd1d in CIccEvalCompare::EvaluateProfile(char const*, unsigned char, icRenderingIntent, icXformInterp, bool) /home/h02332/po/research/iccDEV/IccProfLib/IccEval.cpp:204:24
    #16 0x59cc5eac3e49 in main /home/h02332/po/research/iccDEV/Tools/CmdLine/IccRoundTrip/iccRoundTrip.cpp:170:27
    #17 0x7842cba2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #18 0x7842cba2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #19 0x59cc5e9e63d4 in _start (/home/h02332/po/research/iccDEV/Build/Tools/IccRoundTrip/iccRoundTrip+0x2e3d4) (BuildId: cbd4eed21413f14c845f5fb785f1276dc493dac1)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/h02332/po/research/iccDEV/IccProfLib/IccTagLut.cpp:2721:10 in CIccCLUT::Interp3d(float*, float const*) const
==3308==ABORTING

crash-8d23aa67aa3775b72b154a75c9592696b6abff1b,icc.txt

[ChrisCoxArt]

Yuck. More code assuming that the UnitClip function pointer would actually clip to the unit range, when it always points to NoClip... Time to make that much clearer in the code.

There may still be errors with large, positive pixel values.