Microsoft Color Management Module icm32.dll - icm32!LHCalc3toX_Di16_Do16_Lut8_G32 Out-of-Bounds Read

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1054
 
We have encountered a crash in the Windows Color Management library (icm32.dll), in the icm32!LHCalc3toX_Di16_Do16_Lut8_G32 function, while trying to translate colors based on a malformed color profile file:
 
---
(61e4.8620): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000453 ecx=0922cafd edx=00000c63 esi=0038f7ac edi=0004be40
eip=6ac573e9 esp=0038f6ec ebp=0038f784 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
icm32!LHCalc3toX_Di16_Do16_Lut8_G32+0x32a:
6ac573e9 0fb61411        movzx   edx,byte ptr [ecx+edx]     ds:002b:0922d760=??
0:000> kb
ChildEBP RetAddr  Args to Child              
0038f784 6ac57844 0038f7ac 0038f840 00000000 icm32!LHCalc3toX_Di16_Do16_Lut8_G32+0x32a
0038f798 6ac4807d 0038f7ac 0038f840 76f611a9 icm32!LHCalc3to3_Di16_Do16_Lut8_G32+0x12
0038f8ac 6ac4204c 07b46e58 085f1000 000285c3 icm32!LHMatchColorsPrivate+0xef
0038f8c0 6c5ecab5 00000100 07de1000 000285c3 icm32!CMTranslateColors+0x44
0038f940 011c1963 4f42e2c8 07de1000 000285c3 mscms!TranslateColors+0x108
[...]
---
 
The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled. In order to reproduce the problem with the provided samples, it is necessary to use a dedicated program which loads the file, creates a color transform and translates some colors.
 
Attached are two color profiles which trigger the crash at two different offsets within the icm32!LHCalc3toX_Di16_Do16_Lut8_G32 function.
 
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41659.zip

#  0day.today [2018-04-14]  #