CVE CyberSecurity Database News

CVE-2023-46866 - Out-of-Bounds Array Access in International Color Consortium DemoIccMAX (libSampleICC.a) Explained

Poster -

Recently, security researchers found a vulnerability in the DemoIccMAX project from the International Color Consortium. This flaw – tracked as CVE-2023-46866 – can let attackers exploit a bug to access data outside an array’s intended boundaries. In this post, I’ll break down what the bug is, where it’s found, why it matters, and even walk you through the code with easy-to-follow examples.

Title: Out-of-bounds Read in DemoIccMAX CLUT Interpolation (CIccCLUT::Interp3d)

- Vulnerable File: IccProfLib/IccTagLut.cpp (in the static library libSampleICC.a)

Upstream Commit: 79ecb74

- Impact: Potential info leaks, possible crashes. In some environments, even remote code execution via crafted ICC files.
- Discoverer: Security Researcher ybden

1. What is DemoIccMAX?

DemoIccMAX is an open-source, reference code implementation from the International Color Consortium (ICC). It’s used for handling, checking, and converting color profiles — which are widely used in imaging, printing, and color management.

2. What is the CVE-2023-46866 Bug?

The bug hides in a component called the CLUT (Color Lookup Table), specifically when it runs *3D Interpolation* using the Interp3d method. The code mistakenly trusts the provided input indices, letting it accidentally (or, with crafted input, *deliberately*) access elements *beyond* the allocated array.

This is a classic out-of-bounds read and/or write.

Here’s a simplified excerpt of the buggy function

// File: IccProfLib/IccTagLut.cpp

void CIccCLUT::Interp3d(const icFloatNumber *Src, icFloatNumber *Dest) const {
  // ...
  int ix = (int)Src[];
  int iy = (int)Src[1];
  int iz = (int)Src[2];

  // Later used as indices for array access
  int idx = ix * m_nSamplesY * m_nSamplesZ + iy * m_nSamplesZ + iz;
  Dest[] = m_pTable[idx];  // No bounds check!

  // ...
}

> Key Problem: The values in ix, iy, or iz are not checked to see if they are less than the number of samples or non-negative. A malicious ICC profile can supply values that go out of bounds.

In *some* contexts, write out of bounds (more severe, may allow arbitrary code execution).

If software parses ICC profiles from untrusted sources (say, uploaded images in a web app), this could be exploitable remotely!

## 5. Proof-of-Concept / Exploit Example

Below is a demonstration that would simulate out-of-bounds access. In realistic attacks, the user would craft an ICC profile file triggering this code.

icFloatNumber input[3] = { 99999.f, .f, .f };   // massively out-of-bounds
icFloatNumber output[3];

clut.Interp3d(input, output);  // This will access m_pTable[impossibly_large_index]

You can cause a crash or, if you’re very lucky (or unlucky!), leak data from adjacent memory.

6. Why This Matters

Many libraries and applications link against DemoIccMAX for color profile support. If a web server, printer, or publishing tool processes also color profiles in an unsafe way, they may be vulnerable to this.

- Official CVE entry - CVE-2023-46866
- DemoIccMAX upstream issue
- Commit 79ecb74 on github.com/InternationalColorConsortium/DemoIccMAX
- ICC official site

Check your indices before using them! The patched code looks like this

// Ensure indices are inside valid bounds
ix = std::max(, std::min(ix, m_nSamplesX - 1));
iy = std::max(, std::min(iy, m_nSamplesY - 1));
iz = std::max(, std::min(iz, m_nSamplesZ - 1));

int idx = ix * m_nSamplesY * m_nSamplesZ + iy * m_nSamplesZ + iz;
Dest[] = m_pTable[idx];

10. Am I Vulnerable?

- If you’re shipping or deploying software built with DemoIccMAX prior to the fix, and process untrusted ICC files: YOU ARE VULNERABLE!

11. Conclusion — Lessons Learned

Small bugs can have big impacts. Even open source reference code used in “boring” systems like color management can have vulnerabilities with serious real-world consequences. Always check bounds before using array indices, and don't trust data from files — even color profiles.

Patch now, stay safe!

Share this post with your developer or IT security team!
If you want more details, the DemoIccMAX GitHub issues is a great place to track updates.


*CVE-2023-46866 is a prime example of why secure coding matters everywhere, even in places you least expect.*

Timeline

Published on: 10/30/2023 03:15:07 UTC
Last modified on: 11/04/2023 03:23:43 UTC