We have encountered a crash in the Windows Color Matching System library (mscms.dll), in the mscms!CTetra::Intp3D function, while trying to translate colors based on a malformed color profile file:
---
(6944.6678): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c8ed228 ebx=0c8ee080 ecx=00000000 edx=0c8ed21c esi=0caaf004 edi=0c8edfb4
eip=6c62a8b8 esp=0041fba4 ebp=0041fbbc iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
mscms!CTetra::Intp3D+0x1bc:
6c62a8b8 d95efc fstp dword ptr [esi-4] ds:002b:0caaf000=????????
0:000> kb
ChildEBP RetAddr Args to Child
0041fbbc 6c62adb3 0c08aff0 0c092f40 0041fbf4 mscms!CTetra::Intp3D+0x1bc
0041fbcc 6c628562 00000f7b 0c8ed210 0c08aff0 mscms!CTetra::Interpolate+0x6d
0041fbf4 6c628591 0958f840 0caaeff8 0cb0cffc mscms!CNDLut::Interpolate+0x13e
0041fc14 6c63d971 00003cf7 09580468 0ca9fc20 mscms!CNDLut::Interpolate+0x24
0041fc40 6c636e62 00000001 00003cf7 0cadf468 mscms!ColorDestinationTranslation::JChToDst+0xd0
0041fc8c 6c637cf7 00003cf7 00000003 00000001 mscms!ColorTranslationSequence::TranslateColors+0x32e
0041fcac 6c601ee0 00003cf7 00000003 00000001 mscms!SequentialColorTransform::TranslateColors+0x28
0041fcf4 6c5eca70 0c076fd0 07e81000 00003cf7 mscms!CITETranslateColors+0x181
0041fd74 001e1963 4ea1b2c8 07e81000 00003cf7 mscms!TranslateColors+0xc3
[...]
---
The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled. In order to reproduce the problem with the provided samples, it is necessary to use a dedicated program which loads the files, creates color transforms and translates some colors.
Attached are four color profiles which trigger the crash.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
