fix: more ICC protections against invalid tag sizes (#4565)

Signed-off-by: Larry Gritz <[email protected]>

Author: lgritz

src/libOpenImageIO/icc.cpp

@@ -321,13 +321,25 @@ decode_icc_profile(cspan<uint8_t> iccdata, ImageSpec& spec, std::string& error)
         if (typesignature == "text") {
             // For text, the first 4 bytes are "text", the next 4 are 0, then
             // byte 8-end are the zero-terminated string itself.
+            if (tag.size < 8) {
+                error = format(
+                    "ICC profile tag {} appears to contain corrupted/invalid data",
+                    signature);
+                return false;
+            }
             spec.attribute(tagname, string_view((const char*)iccdata.data()
                                                     + tag.offset + 8,
                                                 tag.size - 8));
         } else if (typesignature == "desc") {
             // I don't see this in the spec, but I've seen it in practice:
             // first 4 bytes are "desc", next 8 are unknown, then 12-end are
             // zero-terminated string itself.
+            if (tag.size < 12) {
+                error = format(
+                    "ICC profile tag {} appears to contain corrupted/invalid data",
+                    signature);
+                return false;
+            }
             spec.attribute(tagname, string_view((const char*)iccdata.data()
                                                     + tag.offset + 12,
                                                 tag.size - 12));

testsuite/jpeg-corrupt/ref/out-alt2.txt

@@ -20,3 +20,27 @@ src/corrupt-exif-1626.jpg :  256 x  256, 3 channel, uint8 jpeg
     oiio:ColorSpace: "sRGB"
 corrupt-icc-4551.jpg
 DCT coefficient (lossy) or spatial difference (lossless) out of range
+Reading src/corrupt-icc-4552.jpg
+src/corrupt-icc-4552.jpg : 1500 x 1000, 3 channel, uint8 jpeg
+    SHA-1: 58BC613FDC7513B4F3854D8D2910040B60FF7A7F
+    channel list: R, G, B
+    ICCProfile: 0, 0, 12, 72, 76, 105, 110, 111, 2, 16, 0, 0, 109, 110, 116, 114, ... [3144 x uint8]
+    ResolutionUnit: "in"
+    XResolution: 72
+    YResolution: 72
+    ICCProfile:attributes: "Transparency , Glossy, Positive, Color"
+    ICCProfile:cmm_type: 1281977967
+    ICCProfile:color_space: "RGB"
+    ICCProfile:creation_date: "1998:02:09 06:49:00"
+    ICCProfile:creator_signature: "48502020"
+    ICCProfile:device_class: "Display device profile"
+    ICCProfile:flags: "Not Embedded, Independent"
+    ICCProfile:manufacturer: "49454320"
+    ICCProfile:model: "73524742"
+    ICCProfile:platform_signature: "Microsoft Corporation"
+    ICCProfile:profile_connection_space: "XYZ"
+    ICCProfile:profile_size: 3144
+    ICCProfile:profile_version: "2.1.0"
+    ICCProfile:rendering_intent: "Unknown"
+    jpeg:subsampling: "4:2:0"
+    oiio:ColorSpace: "sRGB"

testsuite/jpeg-corrupt/ref/out-alt3.txt

@@ -19,3 +19,27 @@ src/corrupt-exif-1626.jpg :  256 x  256, 3 channel, uint8 jpeg
     jpeg:subsampling: "4:2:0"
     oiio:ColorSpace: "sRGB"
 corrupt-icc-4551.jpg
+Reading src/corrupt-icc-4552.jpg
+src/corrupt-icc-4552.jpg : 1500 x 1000, 3 channel, uint8 jpeg
+    SHA-1: 58BC613FDC7513B4F3854D8D2910040B60FF7A7F
+    channel list: R, G, B
+    ICCProfile: 0, 0, 12, 72, 76, 105, 110, 111, 2, 16, 0, 0, 109, 110, 116, 114, ... [3144 x uint8]
+    ResolutionUnit: "in"
+    XResolution: 72
+    YResolution: 72
+    ICCProfile:attributes: "Transparency , Glossy, Positive, Color"
+    ICCProfile:cmm_type: 1281977967
+    ICCProfile:color_space: "RGB"
+    ICCProfile:creation_date: "1998:02:09 06:49:00"
+    ICCProfile:creator_signature: "48502020"
+    ICCProfile:device_class: "Display device profile"
+    ICCProfile:flags: "Not Embedded, Independent"
+    ICCProfile:manufacturer: "49454320"
+    ICCProfile:model: "73524742"
+    ICCProfile:platform_signature: "Microsoft Corporation"
+    ICCProfile:profile_connection_space: "XYZ"
+    ICCProfile:profile_size: 3144
+    ICCProfile:profile_version: "2.1.0"
+    ICCProfile:rendering_intent: "Unknown"
+    jpeg:subsampling: "4:2:0"
+    oiio:ColorSpace: "sRGB"

testsuite/jpeg-corrupt/ref/out.txt

@@ -20,3 +20,27 @@ src/corrupt-exif-1626.jpg :  256 x  256, 3 channel, uint8 jpeg
     oiio:ColorSpace: "sRGB"
 corrupt-icc-4551.jpg
 DCT coefficient (lossy) or spatial difference (lossless) out of range
+Reading src/corrupt-icc-4552.jpg
+src/corrupt-icc-4552.jpg : 1500 x 1000, 3 channel, uint8 jpeg
+    SHA-1: 58BC613FDC7513B4F3854D8D2910040B60FF7A7F
+    channel list: R, G, B
+    ICCProfile: 0, 0, 12, 72, 76, 105, 110, 111, 2, 16, 0, 0, 109, 110, 116, 114, ... [3144 x uint8]
+    ResolutionUnit: "in"
+    XResolution: 72
+    YResolution: 72
+    ICCProfile:attributes: "Transparency , Glossy, Positive, Color"
+    ICCProfile:cmm_type: 1281977967
+    ICCProfile:color_space: "RGB"
+    ICCProfile:creation_date: "1998:02:09 06:49:00"
+    ICCProfile:creator_signature: "48502020"
+    ICCProfile:device_class: "Display device profile"
+    ICCProfile:flags: "Not Embedded, Independent"
+    ICCProfile:manufacturer: "49454320"
+    ICCProfile:model: "73524742"
+    ICCProfile:platform_signature: "Microsoft Corporation"
+    ICCProfile:profile_connection_space: "XYZ"
+    ICCProfile:profile_size: 3144
+    ICCProfile:profile_version: "2.1.0"
+    ICCProfile:rendering_intent: "Unknown"
+    jpeg:subsampling: "4:2:0"
+    oiio:ColorSpace: "sRGB"

testsuite/jpeg-corrupt/run.py

@@ -21,3 +21,6 @@
 # extend beyond the boundaries of the ICC block itself.
 command += run_app (oiiotool("--echo corrupt-icc-4551.jpg"))
 command += run_app (oiio_app("iconvert") + " src/corrupt-icc-4551.jpg out-4551.jpg")
+
+# This file has a corrupted ICC profile block
+command += info_command ("src/corrupt-icc-4552.jpg", safematch=True)