SBO in icFixXml() at IccUtilXml.cpp:314

[xsscx]

Maintainer Repro

2026-02-27 23:37:07 UTC

SCARINESS: 55 (7-byte-write-stack-buffer-overflow)

Status

• 186bba0 (HEAD -> master, origin/master, origin/HEAD) Fix: HBO in CIccCalculatorFunc::InitSelectOp() (HBO in CIccCalculatorFunc::InitSelectOp() #622)

Reconfirmed

Step 1. wget https://github.com/xsscx/fuzz/raw/refs/heads/master/graphics/icc/sbo-icFixXml-IccUtilXml_cpp-Line314.icc

Step 2. iccToXml sbo-icFixXml-IccUtilXml_cpp-Line314.icc foo.bar

PoC Output

==115697==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7febe2500120 at pc 0x645e9e2dced4 bp 0x7ffe17e55960 sp 0x7ffe17e55118
WRITE of size 7 at 0x7febe2500120 thread T0
SCARINESS: 55 (7-byte-write-stack-buffer-overflow)
    #0 0x645e9e2dced3 in strcpy (Build/Tools/IccToXml/iccToXml+0xb0ed3) (BuildId: a62c9ced83e844cf84c37df5b75df7cd38f6305f)
    #1 0x7febe7f13623 in icFixXml(char*, char const*) IccXML/IccLibXML/IccUtilXml.cpp:314:7
    #2 0x7febe7e4d11c in CIccTagXmlNamedColor2::ToXml(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>) IccXML/IccLibXML/IccTagXml.cpp:708:45
    #3 0x7febe7e1be0b in CIccProfileXml::ToXmlWithBlanks(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>) IccXML/IccLibXML/IccProfileXml.cpp:273:27
    #4 0x7febe7e11656 in CIccProfileXml::ToXml(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&) IccXML/IccLibXML/IccProfileXml.cpp:79:10
    #5 0x645e9e3365b7 in main IccXML/CmdLine/IccToXml/IccToXml.cpp:39:16
    #6 0x7febe622a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #7 0x7febe622a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #8 0x645e9e25a4a4 in _start (Build/Tools/IccToXml/iccToXml+0x2e4a4) (BuildId: a62c9ced83e844cf84c37df5b75df7cd38f6305f)

Address 0x7febe2500120 is located in stack of thread T0 at offset 288 in frame
    #0 0x7febe7e4c8af in CIccTagXmlNamedColor2::ToXml(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>) IccXML/IccLibXML/IccTagXml.cpp:697

  This frame has 13 object(s):
    [32, 288) 'fix' (line 699) <== Memory access at offset 288 overflows this variable
    [352, 608) 'line' (line 700)
    [672, 928) 'buf' (line 701)
    [992, 1024) 'str' (line 703)
    [1056, 1088) 'ref.tmp' (line 706)
    [1120, 1132) 'lab' (line 721)
    [1152, 1184) 'ref.tmp108' (line 728)
    [1216, 1228) 'xyz' (line 731)
    [1248, 1280) 'ref.tmp166' (line 738)
    [1312, 1344) 'ref.tmp234' (line 754)
    [1376, 1408) 'ref.tmp235' (line 754)
    [1440, 1472) 'ref.tmp236' (line 754)
    [1504, 1536) 'ref.tmp264' (line 758)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (Build/Tools/IccToXml/iccToXml+0xb0ed3) (BuildId: a62c9ced83e844cf84c37df5b75df7cd38f6305f) in strcpy
Shadow bytes around the buggy address:
  0x7febe24ffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7febe24fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7febe24fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7febe2500000: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
  0x7febe2500080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7febe2500100: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 00 00 00 00
  0x7febe2500180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7febe2500200: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
  0x7febe2500280: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x7febe2500300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7febe2500380: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==115697==ABORTING

[ChrisCoxArt]

Prefix and Suffix are not NULL terminated, use full 32 bytes.
So we read over the string end and kaboom.