Skip to content

Fix: SBO in CIccCalculatorFunc::Apply()#694

Merged
xsscx merged 1 commit intomasterfrom
issue-678
Mar 15, 2026
Merged

Fix: SBO in CIccCalculatorFunc::Apply()#694
xsscx merged 1 commit intomasterfrom
issue-678

Conversation

@ChrisCoxArt
Copy link
Contributor

@ChrisCoxArt ChrisCoxArt commented Mar 15, 2026

Fixes #678

Pull Request Checklist

  • Have you followed the guidelines in Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you built your Pull Request locally with the Build Instructions?
  • Have you added or updated relevant tests?
  • Have you added or updated relevant docs?

@ChrisCoxArt ChrisCoxArt requested a review from xsscx as a code owner March 15, 2026 02:37
@xsscx xsscx self-assigned this Mar 15, 2026
@xsscx xsscx added PR Pull Request Review in Process Issue is being Reviewed by Maintainers and removed pending labels Mar 15, 2026
@xsscx xsscx changed the title check m_pCalc input and output count before calling it Fix: SBO in CIccCalculatorFunc::Apply() Mar 15, 2026
@xsscx xsscx added Pending Merge Maintainer indicates Merge Pending and requests no further changes and removed Review in Process Issue is being Reviewed by Maintainers labels Mar 15, 2026
xsscx
xsscx approved these changes Mar 15, 2026
View reviewed changes
Copy link
Member

@xsscx xsscx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maintainer Review

2026-03-15 02:47:02 UTC

Repro

mkdir pr-694
cd pr-694
git clone https://github.com/InternationalColorConsortium/iccDEV.git
cd iccDEV/Build
git fetch origin pull/694/head:pr-694
git checkout pr-694
export CXX=clang++ && export CXXFLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer -g -O1 -fprofile-arcs -ftest-coverage" && export LDFLAGS="-fsanitize=address,undefined -fprofile-arcs" && cmake Cmake -DCMAKE_BUILD_TYPE=Debug -DENABLE_ASAN=ON -DENABLE_UBSAN=ON -DENABLE_COVERAGE=ON
make -j$(nproc)
        cd ../Testing/
        echo "=== Updating PATH ==="
         for d in ../Build/Tools/*; do
          [ -d "$d" ] && export PATH="$(realpath "$d"):$PATH"
         done
wget https://github.com/xsscx/fuzz/raw/refs/heads/master/graphics/icc/sbo-CIccCalculatorFunc-Apply-IccMpeCalc_cpp-Line3873.icc
export ASAN_OPTIONS=print_scariness=1 && printf "'RGB '\t; Data Format\nicEncodeFloat\t; Encoding\n\n0.5 0.5 0.5\n" > pcc-test-data.txt && ASAN_OPTIONS=print_scariness=1 iccApplyNamedCmm pcc-test-data.txt 0 0 sbo-CIccCalculatorFunc-Apply-IccMpeCalc_cpp-Line3873.icc 0

PR Application Output

[2026-03-15 02:46:45 UTC] ~/pr-694/iccDEV/Testing (pr-694)$ export ASAN_OPTIONS=print_scariness=1 && printf "'RGB '\t; Data Format\nicEncodeFloat\t; Encoding\n\n0.5 0.5 0.5\n" > pcc-test-data.txt && ASAN_OPTIONS=print_scariness=1 iccApplyNamedCmm pcc-test-data.txt 0 0 sbo-CIccCalculatorFunc-Apply-IccMpeCalc_cpp-Line3873.icc 0
Error 3 - Unable to begin profile application - Possibly invalid or incompatible profiles

=================================================================
==41589==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x5697362d5f91 in operator new[](unsigned long) (/home/h02332/pr-694/iccDEV/Build/Tools/IccApplyNamedCmm/iccApplyNamedCmm+0x15bf91) (BuildId: 55d41a0092ec5683a5f97d63d6d073a831b7eae0)
    #1 0x7b0ae42028f5 in CIccMpeToneMap::Read(unsigned int, CIccIO*) /home/h02332/pr-694/iccDEV/IccProfLib/IccMpeBasic.cpp:4525:31
    #2 0x7b0ae44c4ef0 in CIccTagMultiProcessElement::Read(unsigned int, CIccIO*) /home/h02332/pr-694/iccDEV/IccProfLib/IccTagMPE.cpp:1068:21
    #3 0x7b0ae42c27bf in CIccProfile::LoadTag(IccTagEntry*, CIccIO*, bool) /home/h02332/pr-694/iccDEV/IccProfLib/IccProfile.cpp:1335:14
    #4 0x7b0ae42c2027 in CIccProfile::FindTag(IccTagEntry&) /home/h02332/pr-694/iccDEV/IccProfLib/IccProfile.cpp:437:5
    #5 0x7b0ae40b0343 in CIccXform::Create(CIccProfile*, bool, icRenderingIntent, icXformInterp, IIccProfileConnectionConditions*, icXformLutType, bool, CIccCreateXformHintManager*) /home/h02332/pr-694/iccDEV/IccProfLib/IccCmm.cpp:634:30
    #6 0x7b0ae415bd1f in CIccNamedColorCmm::AddXform(CIccProfile*, icRenderingIntent, icXformInterp, IIccProfileConnectionConditions*, icXformLutType, bool, CIccCreateXformHintManager*) /home/h02332/pr-694/iccDEV/IccProfLib/IccCmm.cpp:10799:17
    #7 0x7b0ae4159317 in CIccNamedColorCmm::AddXform(char const*, icRenderingIntent, icXformInterp, IIccProfileConnectionConditions*, icXformLutType, bool, CIccCreateXformHintManager*, bool) /home/h02332/pr-694/iccDEV/IccProfLib/IccCmm.cpp:10549:20
    #8 0x5697362da5a7 in main /home/h02332/pr-694/iccDEV/Tools/CmdLine/IccApplyNamedCmm/iccApplyNamedCmm.cpp:381:18
    #9 0x7b0ae342a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #10 0x7b0ae342a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #11 0x5697361fca04 in _start (/home/h02332/pr-694/iccDEV/Build/Tools/IccApplyNamedCmm/iccApplyNamedCmm+0x82a04) (BuildId: 55d41a0092ec5683a5f97d63d6d073a831b7eae0)

SUMMARY: AddressSanitizer: 24 byte(s) leaked in 1 allocation(s).

@xsscx xsscx merged commit 56f6141 into master Mar 15, 2026
27 checks passed
@xsscx xsscx removed the Pending Merge Maintainer indicates Merge Pending and requests no further changes label Mar 15, 2026
xsscx pushed a commit that referenced this pull request Mar 15, 2026
[cfl] Add JSON repro configs for SBO in CIccCalculatorFunc::Apply (#678)
892246f 
Fixed upstream in 56f6141 (PR #694). Configs reproduce via -cfg flag.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xsscx xsscx xsscx approved these changes

Assignees

@xsscx xsscx

Labels

PR Pull Request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SBO in CIccCalculatorFunc::Apply() at IccMpeCalc.cpp:3873

2 participants

@ChrisCoxArt @xsscx