iccDEV Heap-Based Buffer Overflow Vulnerability in CTiffImg::ReadLine()

A heap-based buffer overflow vulnerability has been identified in iccDEV versions prior to 2.3.1.5. The issue occurs in the CTiffImg::ReadLine() function when the 'iccApplyProfiles' tool processes a specially crafted TIFF image. This vulnerability can lead to memory disclosure or cause the application to crash.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to memory corruption, allowing for potential arbitrary code execution or causing the application to crash. In this case, the vulnerability was exploited using a crafted TIFF image, which could be a vector for memory corruption attacks.

Reproduction

The vulnerability can be reproduced by using the 'iccApplyProfiles' tool included in iccDEV. After downloading a vulnerable version of iccDEV, the crafted TIFF image that exploits the vulnerability can be processed with 'iccApplyProfiles', leading to the heap-buffer-overflow error. This can be done by specifying the crafted TIFF image and an ICC profile that is compatible with the vulnerability.

Remediation

Users can upgrade to iccDEV version 2.3.1.5 or later, where this vulnerability has been fixed. The latest version can be downloaded from the GitHub Releases page or via package managers like Homebrew, NPM, or Docker.