iccDEV Undefined Behavior Vulnerability in CIccTagXmlSegmentedCurve Allowing Code Execution and Denial-of-Service

A vulnerability exists in the iccDEV library, specifically in versions through 2.3.1.1, within the CIccTagXmlSegmentedCurve::ToXml() function. This vulnerability arises from undefined behavior due to type confusion, where user-controlled input is improperly integrated into ICC profile data or other structured binary blobs. Exploitation of this vulnerability can lead to a range of issues, including denial-of-service, data manipulation, application logic bypass, and potentially arbitrary code execution.

Impact

Exploitation of this vulnerability can cause a runtime error due to type confusion, leading to undefined behavior. This includes memory corruption that could be exploited for arbitrary code execution, particularly when vulnerable native libraries process the malformed ICC profiles. Additionally, the vulnerability can be exploited to manipulate ICC profile data, bypass application logic that relies on profile metadata, and cause denial-of-service conditions.

Reproduction

The vulnerability can be reproduced by crafting an ICC file that exploits the type confusion in the CIccTagXmlSegmentedCurve::ToXml() method. This can be done by using the 'iccToXml' command with the crafted ICC file, which will trigger the undefined behavior and result in a runtime error.

Remediation

Users can update to iccDEV version 2.3.1.2 or later, where this vulnerability has been fixed.