SO in CIccStructCreator::DoCreateStruct() at IccStructFactory.cpp:191

[xsscx]

Maintainer Repro

2026-02-28 17:22:59 UTC

Git

186bba0 (HEAD -> master, origin/master, origin/HEAD) Fix: HBO in CIccCalculatorFunc::InitSelectOp() (#622)

Commands

Step 1. wget https://github.com/xsscx/fuzz/raw/refs/heads/master/graphics/icc/CIccTagStruct-Read-recursive-stack-overflow.icc

Step 2. iccToXml CIccTagStruct-Read-recursive-stack-overflow.icc foo.bar

PoC Output

[2026-02-28 17:17:47 UTC] ~/po/research (main)$ iccToXml CIccTagStruct-Read-recursive-stack-overflow.icc foo.bar
AddressSanitizer:DEADLYSIGNAL
=================================================================
==200315==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd383adea8 (pc 0x64090e3ccf67 bp 0x7ffd383ae6e0 sp 0x7ffd383adeb0 T0)
SCARINESS: 10 (stack-overflow)
    #0 0x631fb0e64f21 in __asan_memcpy (Build/Tools/IccToXml/iccToXml+0xc6f21) (BuildId: acb2ef951c56048fb67d55cbe9eb21cfd90c2272)
    #1 0x71008b46f5d0 in CIccStructCreator::DoCreateStruct(icStructSignature, CIccTagStruct*) IccProfLib/IccStructFactory.cpp:191:9
    #2 0x71008b5c2623 in CIccStructCreator::CreateStruct(icStructSignature, CIccTagStruct*) IccProfLib/IccStructFactory.h:233:50
    #3 0x71008b5a34d2 in CIccTagStruct::SetTagStructType(icStructSignature) IccProfLib/IccTagComposite.cpp:266:15
    #4 0x71008b5a595f in CIccTagStruct::Read(unsigned int, CIccIO*) IccProfLib/IccTagComposite.cpp:380:3
    #5 0x71008b5a7752 in CIccTagStruct::LoadElem(IccTagEntry*, CIccIO*) IccProfLib/IccTagComposite.cpp:890:14
...
    #245 0x71008b5a7752 in CIccTagStruct::LoadElem(IccTagEntry*, CIccIO*) IccProfLib/IccTagComposite.cpp:890:14
    #246 0x71008b5a62de in CIccTagStruct::Read(unsigned int, CIccIO*) IccProfLib/IccTagComposite.cpp:406:10

SUMMARY: AddressSanitizer: stack-overflow (Build/Tools/IccToXml/iccToXml+0xc6f21) (BuildId: acb2ef951c56048fb67d55cbe9eb21cfd90c2272) in __asan_memcpy
==198876==ABORTING

[ChrisCoxArt]

Looks like this was the same basic issue as #629