Skip to content

NPD & UB runtime error: member access ... in CIccXmlArrayType() at IccLibXML/IccUtilXml.cpp#L1076 #477

New issue
New issue
Open
Report
Open
NPD & UB runtime error: member access ... in CIccXmlArrayType() at IccLibXML/IccUtilXml.cpp#L1076#477
Report
Assignees
ChrisCoxArt
Labels
BugBug ReportSecuritySecurity RelatedTriagedMaintainer indicates triaged status and ready for developer handoff
@xsscx

Description

@xsscx
xsscx
opened on Jan 18, 2026

Maintainer Repro

Sun Jan 18 09:10:43 EST 2026

Host

Linux 6.6.87.2-microsoft-standard-WSL2 #1 SMP PREEMPT_DYNAMIC Thu Jun  5 18:30:46 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
Darwin 25.2.0 Darwin Kernel Version 25.2.0: Tue Nov 18 21:09:55 PST 2025; root:xnu-12377.61.12~1/RELEASE_ARM64_T8103 arm64

Source Tested

[2026-01-18 14:07:22 UTC] git rev-parse HEAD && git show --no-patch --oneline

0dbe22e
0dbe22e (HEAD -> master, origin/update-docs, origin/master, origin/HEAD) Modify: RefIccMAXConfig.cmake.in (#473)

Step 1. wget https://raw.githubusercontent.com/xsscx/Commodity-Injection-Signatures/refs/heads/master/xml/icc/ub-member-access-CIccXmlArrayType-icTagTypeSignature-Line1076.xml

Step 2. iccFromXml ub-member-access-CIccXmlArrayType-icTagTypeSignature-Line1076.xml ub-member-access-CIccXmlArrayType-icTagTypeSignature-Line1076.icc

Expected Output

IccXML/IccLibXML/IccUtilXml.cpp:1076:18: runtime error: member access within null pointer of type 'struct xmlNode'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4343==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7afb4cb3e93e bp 0x7ffc44f33dc0 sp 0x7ffc44f33d00 T0)
==4343==The signal is caused by a READ memory access.
==4343==Hint: address points to the zero page.
    #0 0x7afb4cb3e93e in CIccXmlArrayType<float, (icTagTypeSignature)1717793824>::ParseArray(float*, unsigned int, _xmlNode*) IccXML/IccLibXML/IccUtilXml.cpp:1076
    #1 0x7afb4c989ca3 in CIccMpeXmlMatrix::ParseXml(_xmlNode*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) IccXML/IccLibXML/IccMpeXml.cpp:1273
    #2 0x7afb4cab29cc in CIccTagXmlMultiProcessElement::ParseElement(_xmlNode*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) IccXML/IccLibXML/IccTagXml.cpp:4101
    #3 0x7afb4cab4e47 in CIccTagXmlMultiProcessElement::ParseXml(_xmlNode*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) IccXML/IccLibXML/IccTagXml.cpp:4161
    #4 0x7afb4ca39dca in CIccProfileXml::ParseTag(_xmlNode*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) IccXML/IccLibXML/IccProfileXml.cpp:751
    #5 0x7afb4ca3e633 in CIccProfileXml::ParseXml(_xmlNode*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) IccXML/IccLibXML/IccProfileXml.cpp:862
    #6 0x7afb4ca3eaf7 in CIccProfileXml::LoadXml(char const*, char const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*) IccXML/IccLibXML/IccProfileXml.cpp:919
    #7 0x64e205ceb5d3 in main IccXML/CmdLine/IccFromXml/IccFromXml.cpp:68
    #8 0x7afb48c2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #9 0x7afb48c2a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #10 0x64e205cea864 in _start (Build/Tools/IccFromXml/iccFromXml+0x9864) (BuildId: 8b491c2f359548d4acda07cfc5de677fbad1725b)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV IccXML/IccLibXML/IccUtilXml.cpp:1076 in CIccXmlArrayType<float, (icTagTypeSignature)1717793824>::ParseArray(float*, unsigned int, _xmlNode*)
==4343==ABORTING

Metadata

Metadata

Assignees

Labels

BugBug ReportSecuritySecurity RelatedTriagedMaintainer indicates triaged status and ready for developer handoff

Type

Report

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions