iccDEV Memory Leak Vulnerability in XML MPE Parsing Path
Vulnerability
A memory leak vulnerability has been identified in the iccDEV library, specifically in versions prior to 2.3.1.1. The issue arises in the XML MPE parsing function 'iccFromXml', where improperly managed memory leads to leaks. This vulnerability requires user interaction to be exploited.
Impact
Exploitation of this vulnerability causes a memory leak, where allocated memory is not properly released, potentially leading to increased memory usage and degradation of application performance over time.
Reproduction
The vulnerability can be reproduced by exporting the Clang++ compiler, cloning the iccDEV repository, and building the project with CMake. After compiling the application with AddressSanitizer and UndefinedBehaviorSanitizer enabled, the 'iccFromXml' function can be called with a crafted XML file that triggers the memory leak. The AddressSanitizer will report the memory leak, indicating that memory allocated during the XML parsing was not freed.
Remediation
Users can upgrade to iccDEV version 2.3.1.2 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.