iccDEV Undefined Behavior and Null Pointer Dereference Vulnerability in CIccTagXmlFloatNum::ParseXml()

A vulnerability in the iccDEV library, affecting versions prior to 2.3.1.2, allows for undefined behavior and null pointer dereference in the function CIccTagXmlFloatNum::ParseXml(). This issue arises when user-controlled input is improperly integrated into ICC profile data or other structured binary blobs. Exploitation of this vulnerability can lead to a denial-of-service condition, data manipulation, application logic bypass, and potentially arbitrary code execution.

Impact

Exploitation causes a runtime error by accessing a null pointer, which can lead to memory access violations. In some contexts, this vulnerability could be exploited to execute arbitrary code when vulnerable native libraries process the malformed ICC profile.

Reproduction

The vulnerability can be reproduced by using the 'iccFromXml' command-line tool included in the iccDEV package. This tool can be used to convert XML representations of ICC profiles into binary ICC files. By crafting an XML file that includes user-controllable input in a way that the 'ParseXml' function does not properly validate, the null pointer dereference can be triggered. The AddressSanitizer, a memory error detector, will report the null pointer dereference as a runtime error.

Remediation

Users can update to iccDEV version 2.3.1.2 or later, where this vulnerability has been fixed.