search

mm2 / Little-CMS

A free, open source, CMM engine. It provides fast transforms between ICC profiles.
https://www.littlecms.com
MIT License
571 stars 176 forks source link

[IT8] Out-of-bound array access in CookPointers #374

Closed hghwng closed 1 year ago

hghwng commented 1 year ago

Hi there! I wanted to bring to your attention another out-of-bound array access that I found in CookPointers at the trunk version bce906a. While fuzzing cmsIT8_load_fuzzer, I discovered a crash that seems to be caused by the upper bound for the loop, where idField is not being properly calculated. This results in an undefined value for Fld and causes the program to crash at cmsstrcasecmp.

https://github.com/mm2/Little-CMS/blob/bce906a970683fdb692d4174c067b977c8ab6aa7/src/cmscgats.c#L2306-L2332

You can reproduce the bug with the following seed file (encoded in base64):

ICIiCk5VTUJFUl9PRl9GSUVMRFMgNApCRUdJTl9EQVRBX0ZPUk1BVApJIFIgRyBHCkVORF9EQVRB
X0ZPUk1BVApOVU1CRVJfT0ZfRklFTERTIDkKTlVNQkVSX09GX1NFVFMgMgpCRUdJTl9EQVRBCmQK
MCAwQmQKMEJhCSQgJCB0IC4=

Here's the relevant gdb output:

Thread 1 "cmsIT8_load_fuz" received signal SIGSEGV, Segmentation fault.
cmsstrcasecmp (s1=<optimized out>, s2=<optimized out>) at cmserr.c:44
44          while (toupper(*us1) == toupper(*us2++))
(gdb) up
#1  0x00005555556425cf in CookPointers (it8=0x7ffff7b1b010) at cmscgats.c:2331
2331            if (cmsstrcasecmp(Fld, "SAMPLE_ID") == 0) {
(gdb) p Fld
$1 = 0x49 <error: Cannot access memory at address 0x49>
(gdb) p idField
$2 = 5

I hope this helps in identifying the problem and finding a solution. Let me know if you have any questions or if there's anything else I can do to assist.

mm2 commented 1 year ago

fixed on b0541c2c147a0a9ef7aa0f00d16c032d984f5387 Thanks for reporting