iccDEV Out-of-Bounds Read Vulnerability in ICC Profile Processing
Vulnerability
A vulnerability allowing an out-of-bounds read has been identified in iccDEV versions prior to 2.3.1.3. The issue arises in the color management module during ICC profile processing, specifically at IccCmm.cpp line 5793. Malformed ICC profiles can trigger improper validation of array bounds, leading to unauthorized memory access. This out-of-bounds read may result in memory disclosure or a segmentation fault by accessing memory beyond the allocated array boundary.
Impact
Exploitation of this vulnerability causes an out-of-bounds read, which can lead to memory disclosure or a segmentation fault from accessing memory outside the array boundaries.
Reproduction
The vulnerability can be reproduced by processing a specially crafted ICC profile that exploits the array bounds validation issue. This can be done using the 'iccRoundTrip' command-line tool included with iccDEV, after downloading the vulnerable ICC profile from the GitHub repository.
Remediation
Users should update to iccDEV version 2.3.1.3 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.