NPD in CIccTagXmlStruct::ParseTag() at IccTagXml.cpp:4738

[xsscx]

Maintainer Repro

2026-03-01 00:38:58 UTC

Git

c43bde1 (HEAD -> master, origin/master, origin/HEAD) Fix: HBO in CIccXmlArrayType<> (#631)

Commands

Step 1. wget https://github.com/xsscx/fuzz/raw/refs/heads/master/xml/icc/segv-CIccTagXmlStruct-ParseTag-IccTagXml_cpp-Line4738.xml

Step 2. iccFromXml segv-CIccTagXmlStruct-ParseTag-IccTagXml_cpp-Line4738.xml foo.bar

PoC Output

[2026-03-01 00:44:06 UTC] ~/head/iccDEV/Build (master)$ git log --oneline --graph -1
* c43bde1 (HEAD -> master, origin/master, origin/HEAD) Fix: HBO in CIccXmlArrayType<> (#631)
[2026-03-01 00:44:18 UTC] ~/head/iccDEV/Build (master)$ Tools/IccFromXml/iccFromXml segv-CIccTagXmlStruct-ParseTag-IccTagXml_cpp-Line4738.xml foo.bar
IccXML/IccLibXML/IccTagXml.cpp:4725:87: runtime error: member access within null pointer of type 'struct _xmlNode'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior IccXML/IccLibXML/IccTagXml.cpp:4725:87
AddressSanitizer:DEADLYSIGNAL
=================================================================
==183975==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0x7b91e8cbe618 bp 0x7ffd39f0c9b0 sp 0x7ffd39f0c220 T0)
==183975==The signal is caused by a READ memory access.
==183975==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
    #0 0x7b91e8cbe618 in CIccTagXmlStruct::ParseTag(_xmlNode*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&) IccXML/IccLibXML/IccTagXml.cpp:4725:87
    #1 0x7b91e8cc04b9 in CIccTagXmlStruct::ParseXml(_xmlNode*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&) IccXML/IccLibXML/IccTagXml.cpp:4806:12
    #2 0x7b91e8c2b20e in CIccProfileXml::ParseTag(_xmlNode*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&) IccXML/IccLibXML/IccProfileXml.cpp:751:31
    #3 0x7b91e8c2f877 in CIccProfileXml::ParseXml(_xmlNode*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&) IccXML/IccLibXML/IccProfileXml.cpp:862:12
    #4 0x7b91e8c2feac in CIccProfileXml::LoadXml(char const*, char const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*) IccXML/IccLibXML/IccProfileXml.cpp:919:13
    #5 0x5963844a3f6e in main IccXML/CmdLine/IccFromXml/IccFromXml.cpp:69:18
    #6 0x7b91e702a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #7 0x7b91e702a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #8 0x5963843c7584 in _start (Build/Tools/IccFromXml/iccFromXml+0x2f584) (BuildId: bcf3a14ed36db3a2fff51b828b37a7b878c8b609)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV IccXML/IccLibXML/IccTagXml.cpp:4725:87 in CIccTagXmlStruct::ParseTag(_xmlNode*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&)
==183975==ABORTING

segv-CIccTagXmlStruct-ParseTag-IccTagXml_cpp-Line4738.xml

[ChrisCoxArt]

The usual, failed to check that the the tag children pointer existed before dereferencing.