iccDEV Null Pointer Dereference Vulnerability in CIccXmlArrayType() Allowing Undefined Behavior
Vulnerability
A vulnerability allowing null pointer dereference and undefined behavior has been identified in iccDEV versions through 2.3.1.1. This issue arises in the CIccXmlArrayType() function, where user-controlled input is improperly integrated into ICC profile data or other structured binary blobs. Exploitation of this vulnerability can lead to denial-of-service, data manipulation, application logic bypass, and in some cases, arbitrary code execution.
Impact
Exploitation of this vulnerability causes a null pointer dereference, leading to undefined behavior. This can disrupt normal application operations and, in certain contexts, allow for arbitrary code execution.
Reproduction
The vulnerability can be reproduced by crafting an ICC profile that includes user-controllable input, which is then processed by the application. This can be done using the 'iccFromXml' command with a specially designed XML file that exploits the null pointer dereference issue.
Remediation
Users can upgrade to iccDEV version 2.3.1.2 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.