Little CMS Integer Overflow Vulnerability in CubeSize Function Allows Heap-Based Buffer Overflow

A check-after-multiply integer overflow vulnerability has been identified in Little CMS (lcms2) versions through 2.18. The issue arises in the CubeSize function within the file cmslut.c. The vulnerability occurs because the overflow check is performed after the multiplication, allowing crafted ICC profiles with five or more CLUT channels to exploit the flaw. This leads to a heap-based buffer overflow during interpolation, causing applications to crash.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, leading to a segmentation fault and application crash. However, on Ubuntu 24.04 LTS with ASLR turned off, this vulnerability also allows for a coarse information disclosure by leaking seed-correlated bytes from the heap.

Reproduction

The vulnerability can be reproduced by using a crafted ICC profile with five CLUT channels, which can be embedded in a PDF file. This PDF can then be processed by various applications that use Poppler for PDF rendering, such as the Evince PDF viewer or the GIMP image editor. Alternatively, the vulnerability can be triggered through a Java application using OpenJDK 21, by calling the ICC_Profile.getInstance() method with the malicious ICC profile data.

Remediation

Users can upgrade to Little CMS version 2.18 or later, where this vulnerability has been fixed. For OpenJDK users on Windows, upgrading to a version that does not bundle the vulnerable lcms.dll is recommended.