30 lines
No EOL
1.7 KiB
Text
30 lines
No EOL
1.7 KiB
Text
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1054
|
|
|
|
We have encountered a crash in the Windows Color Management library (icm32.dll), in the icm32!LHCalc3toX_Di16_Do16_Lut8_G32 function, while trying to translate colors based on a malformed color profile file:
|
|
|
|
---
|
|
(61e4.8620): Access violation - code c0000005 (first chance)
|
|
First chance exceptions are reported before any exception handling.
|
|
This exception may be expected and handled.
|
|
eax=00000000 ebx=00000453 ecx=0922cafd edx=00000c63 esi=0038f7ac edi=0004be40
|
|
eip=6ac573e9 esp=0038f6ec ebp=0038f784 iopl=0 nv up ei pl nz na po nc
|
|
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
|
|
icm32!LHCalc3toX_Di16_Do16_Lut8_G32+0x32a:
|
|
6ac573e9 0fb61411 movzx edx,byte ptr [ecx+edx] ds:002b:0922d760=??
|
|
0:000> kb
|
|
ChildEBP RetAddr Args to Child
|
|
0038f784 6ac57844 0038f7ac 0038f840 00000000 icm32!LHCalc3toX_Di16_Do16_Lut8_G32+0x32a
|
|
0038f798 6ac4807d 0038f7ac 0038f840 76f611a9 icm32!LHCalc3to3_Di16_Do16_Lut8_G32+0x12
|
|
0038f8ac 6ac4204c 07b46e58 085f1000 000285c3 icm32!LHMatchColorsPrivate+0xef
|
|
0038f8c0 6c5ecab5 00000100 07de1000 000285c3 icm32!CMTranslateColors+0x44
|
|
0038f940 011c1963 4f42e2c8 07de1000 000285c3 mscms!TranslateColors+0x108
|
|
[...]
|
|
---
|
|
|
|
The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled. In order to reproduce the problem with the provided samples, it is necessary to use a dedicated program which loads the file, creates a color transform and translates some colors.
|
|
|
|
Attached are two color profiles which trigger the crash at two different offsets within the icm32!LHCalc3toX_Di16_Do16_Lut8_G32 function.
|
|
|
|
|
|
Proof of Concept:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41659.zip |