iccDEV Undefined Behavior Vulnerability in CIccCLUT::Init Function Allows for Runtime Errors
Vulnerability
A vulnerability exists in the iccDEV library, specifically in versions prior to 2.3.1.1, within the CIccCLUT::Init function. This vulnerability leads to undefined behavior and runtime errors by improperly handling input and output channel counts when initializing a Color Lookup Table (CLUT). The issue arises because the function does not validate the number of channels before processing, allowing for invalid memory access and potential data corruption.
Impact
Exploitation of this vulnerability causes undefined behavior, including runtime errors related to invalid memory access, which can lead to data corruption or application crashes.
Reproduction
The vulnerability can be reproduced by using a specially crafted ICC profile that triggers the undefined behavior when processed with the iccDEV library version prior to 2.3.1.1. This can be done by using the 'iccDumpProfile' tool included in the iccDEV package, which will expose the runtime errors caused by the vulnerability.
Remediation
Users can upgrade to iccDEV version 2.3.1.2 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.