HBO in CIccXmlArrayType<> at IccUtilXml.cpp:869 #627
Description
Maintainer Repro
2026-02-28 13:34:11 UTC
Git
186bba0 (HEAD -> master, origin/master, origin/HEAD) Fix: HBO in CIccCalculatorFunc::InitSelectOp() (#622)
Commands
Step 2. iccToXml hbo-CIccXmlArrayType-icTagTypeSignature-IccUtilXml_cpp-Line869.icc foo.bar
PoC Output
==172161==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x51f000000c80 at pc 0x79cbeb521f0e bp 0x7fffdbd655b0 sp 0x7fffdbd655a8
READ of size 2 at 0x51f000000c80 thread T0
#0 0x79cbeb521f0d in CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::DumpArray(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, unsigned short*, unsigned int, icConvertType, unsigned char) IccXML/IccLibXML/IccUtilXml.cpp:869:58
#1 0x79cbeb4595b0 in CIccTagXmlSparseMatrixArray::ToXml(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>) IccXML/IccLibXML/IccTagXml.cpp:1098:7
#2 0x79cbeb45a3e4 in non-virtual thunk to CIccTagXmlSparseMatrixArray::ToXml(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>) IccXML/IccLibXML/IccTagXml.cpp
#3 0x79cbeb41be57 in CIccProfileXml::ToXmlWithBlanks(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>) IccXML/IccLibXML/IccProfileXml.cpp:273:27
#4 0x79cbeb411736 in CIccProfileXml::ToXml(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&) IccXML/IccLibXML/IccProfileXml.cpp:79:10
#5 0x5fdfff3305b7 in main IccXML/CmdLine/IccToXml/IccToXml.cpp:39:16
#6 0x79cbe982a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#7 0x79cbe982a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#8 0x5fdfff2544a4 in _start (Build/Tools/IccToXml/iccToXml+0x2e4a4) (BuildId: acb2ef951c56048fb67d55cbe9eb21cfd90c2272)
0x51f000000c80 is located 0 bytes after 3072-byte region [0x51f000000080,0x51f000000c80)
allocated by thread T0 here:
#0 0x5fdfff2ef710 in realloc (Build/Tools/IccToXml/iccToXml+0xc9710) (BuildId: acb2ef951c56048fb67d55cbe9eb21cfd90c2272)
#1 0x79cbead420a7 in icRealloc(void*, unsigned long) IccProfLib/IccUtil.cpp:122:12
#2 0x79cbeaac6f46 in CIccTagSparseMatrixArray::Reset(unsigned int, unsigned short) IccProfLib/IccTagBasic.cpp:5091:32
#3 0x79cbeaac2e1a in CIccTagSparseMatrixArray::Read(unsigned int, CIccIO*) IccProfLib/IccTagBasic.cpp:4609:3
#4 0x79cbeb4eeb08 in CIccTag::Read(unsigned int, CIccIO*, CIccProfile*) Build/Cmake/../../IccProfLib/IccTagBasic.h:193:92
#5 0x79cbea9ebab6 in CIccProfile::LoadTag(IccTagEntry*, CIccIO*, bool) IccProfLib/IccProfile.cpp:1335:14
#6 0x79cbea9fb331 in CIccProfile::Read(CIccIO*, bool) IccProfLib/IccProfile.cpp:879:10
#7 0x5fdfff3303d0 in main IccXML/CmdLine/IccToXml/IccToXml.cpp:31:16
#8 0x79cbe982a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#9 0x79cbe982a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#10 0x5fdfff2544a4 in _start (Build/Tools/IccToXml/iccToXml+0x2e4a4) (BuildId: acb2ef951c56048fb67d55cbe9eb21cfd90c2272)
SUMMARY: AddressSanitizer: heap-buffer-overflow IccXML/IccLibXML/IccUtilXml.cpp:869:58 in CIccXmlArrayType<unsigned short, (icTagTypeSignature)1969828150>::DumpArray(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, unsigned short*, unsigned int, icConvertType, unsigned char)
Shadow bytes around the buggy address:
0x51f000000a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x51f000000a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x51f000000b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x51f000000b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x51f000000c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x51f000000c80:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x51f000000d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x51f000000d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x51f000000e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x51f000000e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x51f000000f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==172161==ABORTING