iccDEV Undefined Behavior Vulnerability in CIccCombinedConnectionConditions Constructor Allowing Process Crash
Vulnerability
A vulnerability in iccDEV versions prior to 2.3.1.6 allows a crafted ICC profile to cause undefined behavior by triggering a null-pointer dereference in the CIccCombinedConnectionConditions constructor. This issue, which can be exploited by running iccApplyNamedCmm with the -PCC option and a malformed .icc profile, has been reported to result in a process crash, creating a denial-of-service condition.
Impact
Exploitation of this vulnerability leads to a process crash, causing a denial-of-service condition.
Reproduction
The vulnerability can be reproduced by downloading a specific malformed ICC profile that triggers the null-pointer dereference when processed with the iccApplyNamedCmm tool. The profile can be obtained from the GitHub repository of the International Color Consortium, and the issue can be replicated by using the Undefined Behavior Sanitizer to highlight the runtime error caused by the vulnerability.
Remediation
Users can update to iccDEV version 2.3.1.6 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.