iccDEV Segmentation Fault Vulnerability in CIccCalculatorFunc::ApplySequence() Prior to Version 2.3.1.5

A segmentation fault vulnerability has been identified in iccDEV versions prior to 2.3.1.5. This issue arises from an invalid pointer read in the 'CIccCalculatorFunc::ApplySequence()' function, leading to a denial-of-service condition. The vulnerability has been addressed in version 2.3.1.5.

Impact

Exploitation of this vulnerability causes a segmentation fault, terminating the process. The AddressSanitizer indicates that the crash is due to a read memory access violation, which is characteristic of a wild pointer dereference.

Reproduction

The vulnerability can be reproduced by using a crafted ICC file that triggers the wild pointer read in the 'CIccCalculatorFunc::ApplySequence()' method. This can be done by using the 'iccApplyProfiles' tool with the vulnerable ICC file as input. The AddressSanitizer can be used to detect the segmentation fault caused by the vulnerability.

Remediation

Users can update to iccDEV version 2.3.1.5 or later, where this vulnerability has been fixed. Version 2.3.1.5 is available through the GitHub Releases page, as well as via Homebrew, NPM, and Docker.