iccDEV Heap-Buffer-Overflow Vulnerability in CIccCLUT::Init()
Vulnerability
A heap-buffer-overflow vulnerability has been identified in the iccDEV library, specifically in versions prior to 2.3.1.2. The issue arises in the 'CIccCLUT::Init()' function within 'IccProfLib/IccTagLut.cpp', where improper validation of input data allows for memory corruption. This vulnerability impacts users processing International Color Consortium (ICC) color profiles with the affected library version.
Impact
Exploitation of this vulnerability leads to a heap-buffer-overflow, a type of memory corruption that can often be exploited to execute arbitrary code or cause a denial-of-service condition.
Reproduction
The vulnerability can be reproduced by using the 'iccFromXml' command-line tool included with iccDEV. This tool can be fed a crafted XML file that exploits the buffer overflow. The expected output indicates a heap-buffer-overflow error, which can be verified using AddressSanitizer, a memory error detection tool.
Remediation
Users can upgrade to version 2.3.1.2 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.