Crash in babl_trc_from_icc caused by invalid offset
OS: Windows 10 Home, 64-bit.
GIMP, GEGL, BABL: current master branch.
Trying to open the following fuzzed TIFF image from the well known imagetestsuite causes a crash inside babl_trc_from_icc
caused by invalid offset.
TIFF: https://github.com/Wormnest/imagetestsuite/blob/master/tif/m3-108af7a96a2efa82a0cee0f200e6b9a2.tif
Crash backtrace:
Error occurred on Tuesday, August 23, 2022 at 17:26:45.
gimp-2.99.exe caused an Access Violation at location 00007FFA549BD0DB in module msvcrt.dll Reading from location 000001F2401E77C4.
AddrPC Params
00007FFA549BD0DB 000001F1F7AEEC90 00007FF7781A7A20 000000EB733FDC80 msvcrt.dll!strcmp+0xb
00007FF9F54E2B95 000001F1FAEB6E80 000000EB733FDAA9 000000EB733FDA98 libbabl-0.1-0.dll!babl_trc_from_icc+0x45 [D:/msys64/home/Jacob/build/babl/../../babl/babl/babl-icc.c @ 382]
380: int count = icc_read (u32, offset + 8);
381: int i;
> 382: if (!strcmp (state->data + offset, "para"))
383: {
384: int function_type = icc_read (u16, offset + 8);
00007FF9F54E8642 000001F1FB75B8A0 00007FF9F44342CC 0000000000000000 libbabl-0.1-0.dll!babl_space_from_icc+0xe52 [D:/msys64/home/Jacob/build/babl/../../babl/babl/babl-icc.c @ 1094]
1092: if (!*error && icc_tag (state, "rTRC", &offset, &element_size))
1093: {
> 1094: trc_red = babl_trc_from_icc (state, offset, error);
1095: }
1096: if (!*error && icc_tag (state, "gTRC", &offset, &element_size))
00007FF9F44360F8 0000000000000001 00007FFA0C18F848 000001F100000004 libgimpcolor-3.0-0.dll!gimp_color_profile_get_space+0x88 [D:/msys64/home/Jacob/build/gimp/../../gimp/libgimpcolor/gimpcolorprofile.c @ 1520]
1518: g_return_val_if_fail (error == NULL || *error == NULL, NULL);
1519:
> 1520: space = babl_space_from_icc ((const gchar *) profile->priv->data,
1521: profile->priv->length,
1522: (BablIccIntent) intent,
00007FF777E7D837 00007FF7781A3CD3 00000518733FDD2C 000001F1F7AEEF50 gimp-2.99.exe!_gimp_image_update_color_profile+0x97 [D:/msys64/home/Jacob/build/gimp/../../gimp/app/core/gimpimage-color-profile.c @ 962]
960:
961: private->layer_space =
> 962: gimp_color_profile_get_space (private->color_profile,
963: GIMP_COLOR_RENDERING_INTENT_RELATIVE_COLORIMETRIC,
964: &error);
00007FF777E90C1B 000001F1F7AEEF50 00007FFA549C37B4 000001F100000000 gimp-2.99.exe!gimp_image_parasite_attach+0x1eb [D:/msys64/home/Jacob/build/gimp/../../gimp/app/core/gimpimage.c @ 4339]
4337:
4338: if (strcmp (name, GIMP_ICC_PROFILE_PARASITE_NAME) == 0)
> 4339: _gimp_image_update_color_profile (image, parasite);
4340:
4341: if (strcmp (name, GIMP_SIMULATION_ICC_PROFILE_PARASITE_NAME) == 0)
00007FF777E7C22D 0000000000000000 00007FF777E7B4E1 000000EB733FDFC0 gimp-2.99.exe!gimp_image_set_icc_profile+0xfd [D:/msys64/home/Jacob/build/gimp/../../gimp/app/core/gimpimage-color-profile.c @ 367]
365: }
366:
> 367: gimp_image_set_icc_parasite (image, parasite, profile_type);
368:
369: if (parasite)
00007FF777E7C379 000001F1FAF0DC80 000001F1F46BE280 000001F1FB5D40FC gimp-2.99.exe!gimp_image_set_color_profile+0xe9 [D:/msys64/home/Jacob/build/gimp/../../gimp/app/core/gimpimage-color-profile.c @ 418]
416: data = gimp_color_profile_get_icc_profile (profile, &length);
417:
> 418: return gimp_image_set_icc_profile (image, data, length,
419: GIMP_ICC_PROFILE_PARASITE_NAME,
420: error);
00007FF777E7C7D0 0000000000000000 000001F1FC11A2E0 000000EB733FDFC0 gimp-2.99.exe!gimp_image_assign_color_profile+0x1d0 [D:/msys64/home/Jacob/build/gimp/../../gimp/app/core/gimpimage-color-profile.c @ 626]
624: _gimp_image_set_hidden_profile (image, NULL, TRUE);
625:
> 626: gimp_image_set_color_profile (image, dest_profile, NULL);
627: /* omg... */
628: gimp_image_parasite_detach (image, "icc-profile-name", TRUE);
00007FF777F6FA41 000001F1F46BE280 000001F1F46AF960 000001F1FA89E350 gimp-2.99.exe!image_set_color_profile_invoker+0x91 [D:/msys64/home/Jacob/build/gimp/../../gimp/app/pdb/image-color-profile-cmds.c @ 168]
166: if (profile)
167: {
> 168: success = gimp_image_assign_color_profile (image, profile,
169: progress, error);
170: g_object_unref (profile);
00007FF777FCFB15 0000000000000000 0000000000000000 0000000000000000 gimp-2.99.exe!gimp_procedure_execute+0x255 [D:/msys64/home/Jacob/build/gimp/../../gimp/app/pdb/gimpprocedure.c @ 515]
513:
514: /* call the procedure */
> 515: return_vals = GIMP_PROCEDURE_GET_CLASS (procedure)->execute (procedure,
516: gimp,
517: context,
00007FF777FCC31C 0000000000000002 00007FF9F44AD57D 000000EB733FDF90 gimp-2.99.exe!gimp_pdb_execute_procedure_by_name_args+0x1cc [D:/msys64/home/Jacob/build/gimp/../../gimp/app/pdb/gimppdb.c @ 320]
318: g_return_val_if_fail (GIMP_IS_PROCEDURE (procedure), NULL);
319:
> 320: return_vals = gimp_procedure_execute (procedure,
321: pdb->gimp, context, progress,
322: args, error);
00007FF777FE36CB 000001F1FAE4A3A0 00007FF9FF3F25E1 0000000000000001 gimp-2.99.exe!gimp_plug_in_handle_message+0x48b [D:/msys64/home/Jacob/build/gimp/../../gimp/app/plug-in/gimpplugin-message.c @ 584]
582: */
583: gimp_plug_in_manager_plug_in_push (plug_in->manager, plug_in);
> 584: return_vals = gimp_pdb_execute_procedure_by_name_args (plug_in->manager->gimp->pdb,
585: proc_frame->context_stack ?
586: proc_frame->context_stack->data :
00007FF777FD4C0B 000000EB733FE108 00007FF9FF39AD91 0000000000000000 gimp-2.99.exe!gimp_plug_in_recv_message+0x13b
00007FF9FF3980D1 000001F100000000 00007FF778220000 000001F100000001 libglib-2.0-0.dll!g_clear_list+0xe61
00007FF9FF39B0E8 000001F100000000 00007FF9FF39B432 0000000000000000 libglib-2.0-0.dll!g_main_context_check+0x528
00007FF9FF39B5B0 000000EB733FE2D0 00007FFA0C19C498 000000EB00000000 libglib-2.0-0.dll!g_main_loop_run+0x70
00007FF777FE506F 000001F1F41260E0 000001F1FC11A2E0 000000EB733FE858 gimp-2.99.exe!gimp_plug_in_manager_call_run+0x62f [D:/msys64/home/Jacob/build/gimp/../../gimp/app/plug-in/gimppluginmanager-call.c @ 296]
294: proc_frame->main_loop = g_main_loop_new (NULL, FALSE);
295:
> 296: g_main_loop_run (proc_frame->main_loop);
297:
298: /* main_loop is quit in gimp_plug_in_handle_proc_return() */
00007FF777FDA6FB 000001F1F8E52A80 000001F1F8D84C10 000001F1F42BE620 gimp-2.99.exe!gimp_plug_in_procedure_execute+0x7b [D:/msys64/home/Jacob/build/gimp/../../gimp/app/plug-in/gimppluginprocedure.c @ 394]
392: args, error);
393:
> 394: return gimp_plug_in_manager_call_run (gimp->plug_in_manager,
395: context, progress,
396: GIMP_PLUG_IN_PROCEDURE (procedure),
00007FF777FCFB15 0000000000000000 00007FF777FCF5E5 00007FFA0C1BBB90 gimp-2.99.exe!gimp_procedure_execute+0x255 [D:/msys64/home/Jacob/build/gimp/../../gimp/app/pdb/gimpprocedure.c @ 515]
513:
514: /* call the procedure */
> 515: return_vals = GIMP_PROCEDURE_GET_CLASS (procedure)->execute (procedure,
516: gimp,
517: context,
00007FF777FCC31C 0000000000000020 0000000000000036 000001F1FC11A2F0 gimp-2.99.exe!gimp_pdb_execute_procedure_by_name_args+0x1cc [D:/msys64/home/Jacob/build/gimp/../../gimp/app/pdb/gimppdb.c @ 320]
318: g_return_val_if_fail (GIMP_IS_PROCEDURE (procedure), NULL);
319:
> 320: return_vals = gimp_procedure_execute (procedure,
321: pdb->gimp, context, progress,
322: args, error);
00007FF777FCCA98 000001F1FBF5EBC0 000001F1FBFED260 000001F1FC11A2E0 gimp-2.99.exe!gimp_pdb_execute_procedure_by_name+0x668 [D:/msys64/home/Jacob/build/gimp/../../gimp/app/pdb/gimppdb.c @ 513]
511: va_end (va_args);
512:
> 513: return_vals = gimp_pdb_execute_procedure_by_name_args (pdb, context,
514: progress, error,
515: name, args);
00007FF777EFA635 000001F1FBF1D2B0 00007FFA0C198D3E 000001F1FC11A2E0 gimp-2.99.exe!file_open_image+0x285 [D:/msys64/home/Jacob/build/gimp/../../gimp/app/file/file-open.c @ 208]
206:
207: return_vals =
> 208: gimp_pdb_execute_procedure_by_name (gimp->pdb,
209: context, progress, error,
210: gimp_object_get_name (file_proc),
00007FF777EFB586 000001F100000000 000001F1F40FCBA0 000001F1F40FCBA0 gimp-2.99.exe!file_open_with_proc_and_display+0x1b6 [D:/msys64/home/Jacob/build/gimp/../../gimp/app/file/file-open.c @ 499]
497: g_return_val_if_fail (status != NULL, NULL);
498:
> 499: image = file_open_image (gimp, context, progress,
500: file,
501: as_new,
00007FF777EFB7C4 0000000000000000 00007FFA0C19C565 000001F1F8FAEDB0 gimp-2.99.exe!file_open_with_display+0x44
00007FF77801EA20 0000000000000090 00007FF9F4CC2E08 000001F1FBEDE170 gimp-2.99.exe!file_open_recent_cmd_callback+0x110 [D:/msys64/home/Jacob/build/gimp/../../gimp/app/actions/file-commands.c @ 202]
200: NULL : GIMP_PROGRESS (display);
201:
> 202: image = file_open_with_display (gimp, action_data_get_context (data),
203: progress,
204: file, FALSE,
00007FFA0C177CDC 0000000000000000 0000000000000065 000001F1F9399910 libgobject-2.0-0.dll!g_closure_invoke+0x16c
00007FFA0C189774 000001F1F8F967B0 000000EB00000000 000001F1F92061F0 libgobject-2.0-0.dll!g_signal_handler_disconnect+0xb04
00007FFA0C18F401 000001F1F92061F0 000001F1F9D167E0 000000EB00000000 libgobject-2.0-0.dll!g_signal_emit_valist+0x951
00007FFA0C18F848 000000EB00000000 00007FF777DB0D80 000001F1F92061F0 libgobject-2.0-0.dll!g_signal_emit+0x18
00007FF777D757D3 000001F100000000 00007FFA0C1799FB 000001F140000002 gimp-2.99.exe!gimp_action_emit_activate+0x53 [D:/msys64/home/Jacob/build/gimp/../../gimp/app/widgets/gimpaction.c @ 103]
101: g_variant_ref_sink (value);
102:
> 103: g_signal_emit (action, action_signals[ACTIVATE], 0, value);
104:
105: if (value)
00007FF777DB0DC7 00000000017E0084 0000000000000069 000001F1F9399910 gimp-2.99.exe!gimp_enum_action_activate+0x47 [D:/msys64/home/Jacob/build/gimp/../../gimp/app/widgets/gimpenumaction.c @ 162]
160: GimpEnumAction *enum_action = GIMP_ENUM_ACTION (action);
161:
> 162: gimp_action_emit_activate (GIMP_ACTION (enum_action),
163: g_variant_new_int32 (enum_action->value));
164:
00007FFA0C177CDC 000001F100000000 00007FFA0C17C356 0000000000000000 libgobject-2.0-0.dll!g_closure_invoke+0x16c
00007FFA0C18942E 000001F1F8F963C0 0000000000000000 000001F1F92061F0 libgobject-2.0-0.dll!g_signal_handler_disconnect+0x7be
00007FFA0C18F401 000001F1F92061F0 00007FFA0C17BE94 000001F100000000 libgobject-2.0-0.dll!g_signal_emit_valist+0x951
00007FFA0C18F848 0000000000000000 00007FF9F4949F58 000001F100000002 libgobject-2.0-0.dll!g_signal_emit+0x18
00007FF9F4949891 010001F10000007C 000001F1FBF573C0 0000000000000000 libgtk-3-0.dll!gtk_action_new+0xe1
00007FFA0C177EF4 00007FFA00000000 000001F1F44DBF70 000000EB733FF398 libgobject-2.0-0.dll!g_closure_invoke+0x384
00007FFA0C18F700 000001F1F9B244A0 000001F1F9B244A0 000001F100000000 libgobject-2.0-0.dll!g_signal_emit_valist+0xc50
00007FFA0C18F848 000001F1F9B244A0 00007FFA53F9EC0B 000001F100000000 libgobject-2.0-0.dll!g_signal_emit+0x18
00007FF9F491256B 000001F1F8EDD620 00007FF9F47D28C0 000001F1FBF4B400 libgtk-3-0.dll!gtk_widget_activate+0x7b
00007FF9F47D5D06 000000EB00000000 000001F1F9B244A0 000001F1F44DBF70 libgtk-3-0.dll!gtk_menu_shell_activate_item+0x186
00007FF9F47D5F84 0000000000000000 0000000000011F29 000000EB00000045 libgtk-3-0.dll!gtk_menu_shell_activate_item+0x404
00007FF9F4662DF1 000000EB733FF550 00007FFA0C19C749 0000000000000000 libgtk-3-0.dll!0x2df1
00007FFA0C177EF4 0000000000000000 0000000000000000 0000000000000000 libgobject-2.0-0.dll!g_closure_invoke+0x384
00007FFA0C18ED65 000001F1F44DBF70 00007FFA0C17BE52 000001F100000000 libgobject-2.0-0.dll!g_signal_emit_valist+0x2b5
00007FFA0C18F848 000001F1F44DBF70 00007FFA0C198D3E 0000000000000000 libgobject-2.0-0.dll!g_signal_emit+0x18
00007FF9F490F965 000001F100000000 00007FF9F4937E3A 000001F100000000 libgtk-3-0.dll!gtk_requisition_copy+0x885
00007FF9F47BF94F FFFFFFFFFFFFFFFF 00007FFA55FAE703 00007FFA55FAEB96 libgtk-3-0.dll!gtk_lock_button_set_permission+0xf3f
00007FF9F47C17AB 0000000000000000 000001F1FBEF8DC0 0000000000000000 libgtk-3-0.dll!gtk_main_do_event+0x7cb
00007FF9F4D9F5AA 000000EB733FF900 000001F1FBEF8DC0 00007FFA55FAE040 libgdk-3-0.dll!gdk_event_free+0x1ba
00007FF9F4DD912F 000001F1D3BAC6A0 00007FF9FF39AD91 0000000000000000 libgdk-3-0.dll!gdk_win32_drag_context_get_type+0x2ecf
00007FF9FF398203 0000000000000000 000001F1F433B4E0 00000000000001EF libglib-2.0-0.dll!g_clear_list+0xf93
00007FF9FF39B0E8 0000000000000000 000001F1FBF54FA0 0000000000000000 libglib-2.0-0.dll!g_main_context_check+0x528
00007FF9FF39B5B0 0000000000000000 0000000000000000 00007FF77814A84B libglib-2.0-0.dll!g_main_loop_run+0x70
00007FF777CD3B24 000001F1D3325C30 000001F1D1B6EE70 000001F1D1B60860 gimp-2.99.exe!app_run+0x3d4 [D:/msys64/home/Jacob/build/gimp/../../gimp/app/app.c @ 457]
455:
456: if (run_loop)
> 457: g_main_loop_run (loop);
458:
459: if (gimp->be_verbose)
00007FF778145ACD 0000000000000000 000001F1D33955C0 00007FF778330F28 gimp-2.99.exe!main+0x51d [D:/msys64/home/Jacob/build/gimp/../../gimp/app/main.c @ 804]
802: user_gimprc_file = g_file_new_for_commandline_arg (user_gimprc);
803:
> 804: retval = app_run (argv[0],
805: filenames,
806: system_gimprc_file,
00007FF777CD13AE 0000000000000000 0000000000000000 0000000000000000 gimp-2.99.exe!__tmainCRTStartup+0x22e [C:/M/mingw-w64-crt-git/src/mingw-w64/mingw-w64-crt/crt/crtexe.c @ 329]
00007FF777CD14E6 0000000000000000 0000000000000000 0000000000000000 gimp-2.99.exe!mainCRTStartup+0x16 [C:/M/mingw-w64-crt-git/src/mingw-w64/mingw-w64-crt/crt/crtexe.c @ 206]
00007FFA54BC7034 0000000000000000 0000000000000000 0000000000000000 KERNEL32.DLL!BaseThreadInitThunk+0x14
00007FFA56822651 0000000000000000 0000000000000000 0000000000000000 ntdll.dll!RtlUserThreadStart+0x21
Relevant part of the image in hexadecimal:
So, for the rTRC apparently the offset was changed from 00 00 00 0E, to 00 00 34 0E.
It looks like there is no check for a valid offset in babl_space_from_icc
before calling babl_trc_from_icc
.