iccDEV Unicode Buffer Overflow Vulnerability in CIccTagTextDescription
Vulnerability
A unicode buffer overflow vulnerability has been identified in the iccDEV library, specifically in versions prior to 2.3.1.2. This vulnerability affects users who process ICC color profiles. The issue arises in the 'CIccTagTextDescription' component, where improper handling of unicode strings can lead to reading beyond the allocated buffer, potentially causing memory corruption.
Impact
Exploitation of this vulnerability leads to a heap-based buffer overflow, allowing for memory corruption.
Reproduction
The vulnerability can be reproduced by using the 'iccDumpProfile' tool to process a crafted ICC profile that triggers the buffer overflow in the 'CIccTagTextDescription::ReleaseUnicode()' method. This can be done by including a unicode string that exceeds the buffer's capacity, causing the AddressSanitizer (ASan) to report a heap-buffer-overflow error.
Remediation
Users can upgrade to iccDEV version 2.3.1.2 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.