iccDEV Heap Buffer Overflow Vulnerability in CIccIO::WriteUInt16Float()
Vulnerability
A heap buffer overflow vulnerability has been identified in the iccDEV library, specifically in the CIccIO::WriteUInt16Float() function. This vulnerability exists in versions prior to 2.3.1.3 and arises when the iccFromXml tool processes malformed XML to create ICC profiles. The flaw allows for a read operation that can be exploited to manipulate ICC profile data, potentially leading to memory corruption or arbitrary code execution in some cases.
Impact
Exploitation of this vulnerability causes a heap buffer overflow, which can lead to memory corruption. In the context of ICC profiles, this could allow an attacker to inject malicious data that could be executed when the profile is processed by vulnerable applications or libraries.
Reproduction
The vulnerability can be reproduced by using the iccFromXml tool to convert a specially crafted XML file into an ICC profile. The XML file must be designed to exploit the buffer overflow in the WriteUInt16Float() function.
Remediation
Users can update to iccDEV version 2.3.1.3 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.