iccDEV Integer Overflow and Underflow Vulnerability in CIccXmlArrayType::ParseTextCountNum()
Vulnerability
A vulnerability in the iccDEV library, affecting versions prior to 2.3.1.1, has been identified in the CIccXmlArrayType::ParseTextCountNum() function. This issue involves integer overflows and underflows, which can lead to undefined behavior when processing ICC color profiles. The vulnerability requires user interaction to exploit.
Impact
Exploitation of this vulnerability causes integer overflow and underflow, leading to undefined behavior. This could potentially be exploited to cause a denial-of-service condition or to manipulate program execution.
Reproduction
The vulnerability can be reproduced by using the iccDEV library to process an ICC color profile that contains numeric values designed to trigger the overflow or underflow. This can be done by using the 'IccFromXML' command with a specially crafted XML file that includes such values. The issue can be observed by running the 'UndefinedBehaviorSanitizer', which will report the runtime errors caused by the invalid numeric values.
Remediation
Users can upgrade to version 2.3.1.2 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.