iccDEV NULL Pointer Dereference Vulnerability in XML Calculator Parser

A NULL pointer dereference vulnerability has been identified in the iccDEV library, specifically in versions prior to 2.3.1.2. The issue arises in the XML calculator parser, where a lack of proper NULL checks can lead to a segmentation fault by attempting to read memory at an invalid address. This vulnerability requires user interaction to be exploited, as it involves processing specially crafted XML files that trigger the NULL dereference during parsing.

Impact

Exploitation of this vulnerability causes a NULL pointer dereference, leading to a segmentation fault and application crash. However, such memory access errors can potentially be exploited to execute arbitrary code under certain conditions.

Reproduction

The vulnerability can be reproduced by using the 'iccFromXml' command-line tool included with iccDEV. After downloading a crafted XML file that exploits the NULL pointer dereference, this file can be processed with the 'iccFromXml' tool, which will then crash with an AddressSanitizer error indicating a segmentation fault due to a read access violation on a NULL pointer.

Remediation

Users can upgrade to iccDEV version 2.3.1.2 or later, where this vulnerability has been patched.