New issue
Advanced search Search tips
Starred by 1 user
Status: Invalid
Owner:
Closed: Jan 2017
Cc:



Sign in to add a comment
Microsoft Color Matching System (mscms.dll) heap-based buffer overflow in mscms!CTetra::Intp3D
Project Member Reported by mjurczyk@google.com, Dec 20 2016 Back to list
We have encountered a crash in the Windows Color Matching System library (mscms.dll), in the mscms!CTetra::Intp3D function, while trying to translate colors based on a malformed color profile file:

---
(6944.6678): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c8ed228 ebx=0c8ee080 ecx=00000000 edx=0c8ed21c esi=0caaf004 edi=0c8edfb4
eip=6c62a8b8 esp=0041fba4 ebp=0041fbbc iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
mscms!CTetra::Intp3D+0x1bc:
6c62a8b8 d95efc          fstp    dword ptr [esi-4]    ds:002b:0caaf000=????????
0:000> kb
ChildEBP RetAddr  Args to Child              
0041fbbc 6c62adb3 0c08aff0 0c092f40 0041fbf4 mscms!CTetra::Intp3D+0x1bc
0041fbcc 6c628562 00000f7b 0c8ed210 0c08aff0 mscms!CTetra::Interpolate+0x6d
0041fbf4 6c628591 0958f840 0caaeff8 0cb0cffc mscms!CNDLut::Interpolate+0x13e
0041fc14 6c63d971 00003cf7 09580468 0ca9fc20 mscms!CNDLut::Interpolate+0x24
0041fc40 6c636e62 00000001 00003cf7 0cadf468 mscms!ColorDestinationTranslation::JChToDst+0xd0
0041fc8c 6c637cf7 00003cf7 00000003 00000001 mscms!ColorTranslationSequence::TranslateColors+0x32e
0041fcac 6c601ee0 00003cf7 00000003 00000001 mscms!SequentialColorTransform::TranslateColors+0x28
0041fcf4 6c5eca70 0c076fd0 07e81000 00003cf7 mscms!CITETranslateColors+0x181
0041fd74 001e1963 4ea1b2c8 07e81000 00003cf7 mscms!TranslateColors+0xc3
[...]
---

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled. In order to reproduce the problem with the provided samples, it is necessary to use a dedicated program which loads the files, creates color transforms and translates some colors.

Attached are four color profiles which trigger the crash.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
 
1.icc
121 KB Download
2.icc
121 KB Download
3.icc
121 KB Download
4.icc
121 KB Download
Project Member Comment 1 by mjurczyk@google.com, Dec 23 2016
Labels: Reported-2016-Dec-21
Project Member Comment 2 by mjurczyk@google.com, Jan 2 2017
Labels: MSRC-36831
Project Member Comment 3 by mjurczyk@google.com, Jan 19 2017
Labels: -Restrict-View-Commit
Status: Invalid
MSRC has concluded that the crash reported here is caused by an invalid argument passed to one of the API functions in our test harness, rather than by an actual bug in Microsoft code. Hence, I'm opening the issue and marking it as Invalid.
Sign in to add a comment