HBO in CIccCalculatorFunc::ApplySequence() at IccMpeCalc.cpp:3711 #623
Description
Maintainer Repro
2026-02-25 02:40:29 UTC
Status
186bba0 (HEAD -> master, origin/master, origin/HEAD) Fix: HBO in CIccCalculatorFunc::InitSelectOp() (#622)
Step 2. printf "'RGB '\nicEncodeFloat\n0.5 0.5 0.5\n" | Tools/IccApplyNamedCmm/iccApplyNamedCmm /dev/stdin 3 0 hbo-CIccCalculatorFunc-ApplySequence-IccMpeCalc_cpp-Line3715.icc 0
PoC Output
[2026-02-25 02:37:53 UTC] ~/head/iccDEV/Build (master)$ git show --no-patch --oneline
186bba0 (HEAD -> master, origin/master, origin/HEAD) Fix: HBO in CIccCalculatorFunc::InitSelectOp() (#622)
[2026-02-25 02:37:59 UTC] ~/head/iccDEV/Build (master)$ printf "'RGB '\nicEncodeFloat\n0.5 0.5 0.5\n" | Tools/IccApplyNamedCmm/iccApplyNamedCmm /dev/stdin 3 0 hbo-CIccCalculatorFunc-ApplySequence-IccMpeCalc_cpp-Line3715.icc 0
=================================================================
==2519==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x52c000007148 at pc 0x7e590e926bb5 bp 0x7ffc66303d50 sp 0x7ffc66303d48
READ of size 4 at 0x52c000007148 thread T0
SCARINESS: 17 (4-byte-read-heap-buffer-overflow)
#0 0x7e590e926bb4 in CIccCalculatorFunc::ApplySequence(CIccApplyMpeCalculator*, unsigned int, SIccCalcOp*) const IccProfLib/IccMpeCalc.cpp:3711:13
#1 0x7e590e929391 in CIccCalculatorFunc::ApplySequence(CIccApplyMpeCalculator*, unsigned int, SIccCalcOp*) const IccProfLib/IccMpeCalc.cpp:3771:16
#2 0x7e590e92b080 in CIccCalculatorFunc::Apply(CIccApplyMpeCalculator*) const IccProfLib/IccMpeCalc.cpp:3830:8
#3 0x7e590e9449f7 in CIccMpeCalculator::Apply(CIccApplyMpe*, float*, float const*) const IccProfLib/IccMpeCalc.cpp:4973:24
#4 0x7e590e95b249 in CIccApplyMpe::Apply(float*, float const*) IccProfLib/IccTagMPE.h:209:84
#5 0x7e590ed16d74 in CIccTagMultiProcessElement::Apply(CIccApplyTagMpe*, float*, float const*) const IccProfLib/IccTagMPE.cpp:1475:15
#6 0x7e590e74b33c in CIccXformMpe::Apply(CIccApplyXform*, float*, float const*) const IccProfLib/IccCmm.cpp:7613:9
#7 0x7e590e77cb4b in CIccApplyNamedColorCmm::Apply(float*, float const*) IccProfLib/IccCmm.cpp:9952:18
#8 0x7e590e76c045 in CIccCmm::Apply(float*, float const*) IccProfLib/IccCmm.cpp:8855:20
#9 0x57a431deb102 in CIccNamedColorCmm::Apply(float*, float const*) Build/Cmake/../../IccProfLib/IccCmm.h:1841:95
#10 0x57a431de22c5 in main Tools/CmdLine/IccApplyNamedCmm/iccApplyNamedCmm.cpp:536:30
#11 0x7e590d82a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#12 0x7e590d82a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#13 0x57a431cfea24 in _start (Build/Tools/IccApplyNamedCmm/iccApplyNamedCmm+0x12da24) (BuildId: d648150d1c66b17f7b5d47cab5fb6c69c5652efa)
0x52c000007148 is located 0 bytes after 28488-byte region [0x52c000000200,0x52c000007148)
allocated by thread T0 here:
#0 0x57a431d99a5d in calloc (Build/Tools/IccApplyNamedCmm/iccApplyNamedCmm+0x1c8a5d) (BuildId: d648150d1c66b17f7b5d47cab5fb6c69c5652efa)
#1 0x7e590e9215d4 in CIccCalculatorFunc::Read(unsigned int, CIccIO*) IccProfLib/IccMpeCalc.cpp:3499:25
#2 0x7e590e93d63c in CIccMpeCalculator::Read(unsigned int, CIccIO*) IccProfLib/IccMpeCalc.cpp:4744:20
#3 0x7e590ed0d0da in CIccTagMultiProcessElement::Read(unsigned int, CIccIO*) IccProfLib/IccTagMPE.cpp:1068:21
#4 0x7e590f4ee7d8 in CIccTag::Read(unsigned int, CIccIO*, CIccProfile*) Build/Cmake/../../IccProfLib/IccTagBasic.h:193:92
#5 0x7e590e9ebcf6 in CIccProfile::LoadTag(IccTagEntry*, CIccIO*, bool) IccProfLib/IccProfile.cpp:1335:14
#6 0x7e590e9ea58d in CIccProfile::FindTag(IccTagEntry&) IccProfLib/IccProfile.cpp:437:5
#7 0x7e590e9ea2ae in CIccProfile::FindTag(unsigned int) IccProfLib/IccProfile.cpp:412:12
#8 0x7e590e674ebb in CIccXform::Create(CIccProfile*, bool, icRenderingIntent, icXformInterp, IIccProfileConnectionConditions*, icXformLutType, bool, CIccCreateXformHintManager*) IccProfLib/IccCmm.cpp:634:30
#9 0x7e590e78fd74 in CIccNamedColorCmm::AddXform(CIccProfile*, icRenderingIntent, icXformInterp, IIccProfileConnectionConditions*, icXformLutType, bool, CIccCreateXformHintManager*) IccProfLib/IccCmm.cpp:10759:17
#10 0x7e590e787195 in CIccNamedColorCmm::AddXform(char const*, icRenderingIntent, icXformInterp, IIccProfileConnectionConditions*, icXformLutType, bool, CIccCreateXformHintManager*, bool) IccProfLib/IccCmm.cpp:10509:20
#11 0x57a431ddf1ec in main Tools/CmdLine/IccApplyNamedCmm/iccApplyNamedCmm.cpp:381:18
#12 0x7e590d82a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#13 0x7e590d82a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#14 0x57a431cfea24 in _start (Build/Tools/IccApplyNamedCmm/iccApplyNamedCmm+0x12da24) (BuildId: d648150d1c66b17f7b5d47cab5fb6c69c5652efa)
SUMMARY: AddressSanitizer: heap-buffer-overflow IccProfLib/IccMpeCalc.cpp:3711:13 in CIccCalculatorFunc::ApplySequence(CIccApplyMpeCalculator*, unsigned int, SIccCalcOp*) const
Shadow bytes around the buggy address:
0x52c000006e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x52c000006f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x52c000006f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x52c000007000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x52c000007080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x52c000007100: 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa
0x52c000007180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52c000007200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52c000007280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52c000007300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52c000007380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2519==ABORTING