Closed hghwng closed 1 year ago
Here's gdb's output, regarding nSamples
and the array index i
.
#2 0x0000555555640667 in WriteDataFormat (fp=<optimized out>, it8=0x7ffff7b18010) at cmscgats.c:1855
1855 WriteStr(fp, t->DataFormat[i]);
(gdb) p i
$1 = 5
(gdb) p *t
$2 = {SheetType = "\"\"\000TS.17", '\000' <repeats 1015 times>, nSamples = 4, nPatches = 0, SampleID = 0, HeaderList = 0x55555f0bfb30, DataFormat = 0x55555f0bfbf8, Data = 0x0}
Thanks for reporting. Should be solved in e85c64ec86b9025c696f707d820ba28e3e732e70 Please note this affects only to CGATS parser, which is currently only used by command line sample tools. So, no exploits can be done by that. The ICC parsing and handling does not use this code in any way.
Thanks for the patch — I can confirm that this problem has been fixed, thus I'm closing this issue. Thank you for maintaining LCMS — I'm using it on my Linux laptop right now 🤗
When fuzzing
cmsIT8_load_fuzzer
at commit 338cf94, I discovered a crash inWriteDataFormat
. Specifically, it seems thatcmsIT8GetProperty(it8, "NUMBER_OF_FIELDS")
returns more fields than the file contains.https://github.com/mm2/Little-CMS/blob/338cf946524714b2529750616d78581fce4b9b33/src/cmscgats.c#L1842-L1860
For easier debugging, you can reproduce the bug as follows: