SO in CIccBasicStructFactory::CreateStruct() at IccStructFactory.cpp:93

[xsscx]

Maintainer Repro

2026-02-28 19:22:48 UTC

Git

186bba0 (HEAD -> master, origin/master, origin/HEAD) Fix: HBO in CIccCalculatorFunc::InitSelectOp() (#622)

Commands

Step 1. wget https://github.com/xsscx/fuzz/raw/refs/heads/master/graphics/icc/so-CIccBasicStructFactory-CreateStruct-IccStructFactory_cpp-Line93.icc

Step 2. iccDumpProfile -v so-CIccBasicStructFactory-CreateStruct-IccStructFactory_cpp-Line93.icc

PoC Output

[2026-02-28 19:22:44 UTC] ~/po/research (main)$  iccDumpProfile -v so-CIccBasicStructFactory-CreateStruct-IccStructFactory_cpp-Line93.icc
AddressSanitizer:DEADLYSIGNAL
=================================================================
==16246==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdf90f1f88 (pc 0x5d6994ed59ce bp 0x7ffdf90f27b0 sp 0x7ffdf90f1f80 T0)
    #0 0x5d6994ed59ce in operator new(unsigned long) (Build/Tools/IccDumpProfile/iccDumpProfile+0x1199ce) (BuildId: fcd015a5d985d7d47300b419da8cddb6b74543ee)
    #1 0x756e0966d793 in CIccBasicStructFactory::CreateStruct(icStructSignature, CIccTagStruct*) IccProfLib/IccStructFactory.cpp:93:14
    #2 0x756e0966f7fb in CIccStructCreator::DoCreateStruct(icStructSignature, CIccTagStruct*) IccProfLib/IccStructFactory.cpp:192:16
    #3 0x756e097c2623 in CIccStructCreator::CreateStruct(icStructSignature, CIccTagStruct*) IccProfLib/IccStructFactory.h:233:50
    #4 0x756e097a34d2 in CIccTagStruct::SetTagStructType(icStructSignature) IccProfLib/IccTagComposite.cpp:266:15
    #5 0x756e097a595f in CIccTagStruct::Read(unsigned int, CIccIO*) IccProfLib/IccTagComposite.cpp:380:3
    #6 0x756e097a7752 in CIccTagStruct::LoadElem(IccTagEntry*, CIccIO*) IccProfLib/IccTagComposite.cpp:890:14
    #7 0x756e097a62de in CIccTagStruct::Read(unsigned int, CIccIO*) IccProfLib/IccTagComposite.cpp:406:10
    #8 0x756e097a7752 in CIccTagStruct::LoadElem(IccTagEntry*, CIccIO*) IccProfLib/IccTagComposite.cpp:890:14  
...
SUMMARY: AddressSanitizer: stack-overflow (Build/Tools/IccDumpProfile/iccDumpProfile+0x1199ce) (BuildId: fcd015a5d985d7d47300b419da8cddb6b74543ee) in operator new(unsigned long)
==16246==ABORTING

[ChrisCoxArt]

Seems like a circular reference in CIccTagStruct::LoadElem and ::Read

#11026	0x00000001024b1227 in CIccTagStruct::LoadElem at /Volumes/Development/iccDEV/IccProfLib/IccTagComposite.cpp:890
#11027	0x00000001024b01ed in CIccTagStruct::Read at /Volumes/Development/iccDEV/IccProfLib/IccTagComposite.cpp:406
#11028	0x00000001024b1227 in CIccTagStruct::LoadElem at /Volumes/Development/iccDEV/IccProfLib/IccTagComposite.cpp:890
#11029	0x00000001024b01ed in CIccTagStruct::Read at /Volumes/Development/iccDEV/IccProfLib/IccTagComposite.cpp:406
#11030	0x00000001024b1227 in CIccTagStruct::LoadElem at /Volumes/Development/iccDEV/IccProfLib/IccTagComposite.cpp:890
#11031	0x00000001024b01ed in CIccTagStruct::Read at /Volumes/Development/iccDEV/IccProfLib/IccTagComposite.cpp:406
#11032	0x00000001024b1227 in CIccTagStruct::LoadElem at /Volumes/Development/iccDEV/IccProfLib/IccTagComposite.cpp:890
#11033	0x00000001024b01ed in CIccTagStruct::Read at /Volumes/Development/iccDEV/IccProfLib/IccTagComposite.cpp:406

[ChrisCoxArt]

The internal tag size was bigger than the profile, or the containing tag size - but we failed to check it.
Then we check later, and overflow 32 bits, and fail to catch the error.
We then re-read the tag data, leading to an infinite loop trying to load the tag struct.