Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

A color profile is a set of data that characterizes a color input or output device, or a color space. In practice, a binary chunk-based format is used. The extension .icc and .icm are used for this. These files are common for embedded devices, making them good targets for attackers.

While fuzzing the macOS and iOS Apple ColorSync library the author found a crash. The crash occurs when using an invalid 8-bit input channel count field of 0. The issue causes a crash for reading at an invalid memory address.

The function first calculates the desired start address within a data point array, and then starts reading the data points in a loop. The address is calculated with the following expression: &lutAToB->CLUT.DataPoints[2 * x * y]. The variable y is initialized in a for loop prior to this access. However, if the amount of iterations in the loop is 0 then the variable is never initialized.

Since the variable is never initialized on the stack then it is used, the y coordinate can contain a large positive or negative value. If an attacker could control this value, it would create a very nice out of bounds read primitive.

Overall, this is an interesting bug! The value never gets initialized then gets used as an index. Even though somebody reading the code would assume the variable gets initialized in the for loop, this was not the case if the loop counter variable was set to 0.