-
Notifications
You must be signed in to change notification settings - Fork 175
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SIGSEGV in cmsIT8LoadFromMem #329
Comments
Thanks for pointing out. It is now fixed by c67fbea Please note a CVE makes NO sense here because as said this code is used only by tools and not in the color engine so it is impossible to craft an ICC profile to trigger this behavior in any color engine client. Thanks again |
Thanks for fast reply!
So, I think, I free to send you input. I made a small fix, that helps. Please check #330. |
Fixed by this commit. |
Hi!
We were doing some fuzzing using AFLplusplus with symbolic execution tool Sydr and found an interesting issue. Here is the ASAN report:
I'll try explain what is happening. We use
cmsIT8LoadFromMem
to load input data from memory. At some stage of parsing (DataFormatSection
) a large memory object is failed to be allocated usingAllocChunk
. This situation could possible lead to CWE-123 (write-what-where). I think, there is a bug in AllocChunk. The problem is because theptr
pointer became malformed at this line. The address where we try to write data inmemcpy
(0x000000000008
) is an aligned size of next chunk to allocate. In theory, we could control address on 32-bit systems, and do arbitrary write.If you interested in debugging this issue, I could send an input and instructions by email for you.
The text was updated successfully, but these errors were encountered: