扫码分享
验证:
体验盒子Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1054
We have encountered a crash in the Windows Color Management library (icm32.dll), in the icm32!LHCalc3toX_Di16_Do16_Lut8_G32 function, while trying to translate colors based on a malformed color profile file:
---
(61e4.8620): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000453 ecx=0922cafd edx=00000c63 esi=0038f7ac edi=0004be40
eip=6ac573e9 esp=0038f6ec ebp=0038f784 iopl=0 nv up ei pl nz na po nc
cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010202
icm32!LHCalc3toX_Di16_Do16_Lut8_G32+0x32a:
6ac573e9 0fb61411movzx edx,byte ptr [ecx+edx] ds:002b:0922d760=??
0:000> kb
ChildEBP RetAddrArgs to Child
0038f784 6ac57844 0038f7ac 0038f840 00000000 icm32!LHCalc3toX_Di16_Do16_Lut8_G32+0x32a
0038f798 6ac4807d 0038f7ac 0038f840 76f611a9 icm32!LHCalc3to3_Di16_Do16_Lut8_G32+0x12
0038f8ac 6ac4204c 07b46e58 085f1000 000285c3 icm32!LHMatchColorsPrivate+0xef
0038f8c0 6c5ecab5 00000100 07de1000 000285c3 icm32!CMTranslateColors+0x44
0038f940 011c1963 4f42e2c8 07de1000 000285c3 mscms!TranslateColors+0x108
[...]
---
The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled. In order to reproduce the problem with the provided samples, it is necessary to use a dedicated program which loads the file, creates a color transform and translates some colors.
Attached are two color profiles which trigger the crash at two different offsets within the icm32!LHCalc3toX_Di16_Do16_Lut8_G32 function.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41659.zip
体验盒子
