
Full Disclosure mailing list archives
libicns v0.8.1 Heap Buffer Overflow in libicns ICNS Parsing (icns2png)
From: Ron E <ronaldjedgerson () gmail com>
Date: Thu, 11 Sep 2025 03:02:56 -0400
libicns, a library used for parsing Apple ICNS image files, contains a heap-based buffer overflow in the icns2png utility and associated library components (icns_image.c). The vulnerability occurs when parsing malformed ICNS files where element sizes are crafted to exceed the allocated heap buffer. Specifically, the function icns_get_image_from_element() performs a memcpy() using a length field read from the ICNS element without proper bounds checking against the allocated buffer. When triggered with a specially crafted ICNS file (e.g., uaf1.icns), the parser performs an out-of-bounds read on the heap, resulting in a crash. The issue can be triggered by any local user or by supplying a malicious ICNS file to an application that uses libicns for image extraction or processing. *Impact:* - The process parsing the ICNS file crashes, preventing further execution. - Heap corruption occurs during the overflow; applications embedding libicns may be exposed to undefined behavior. - Low likelihood in standard CLI usage, but embedding libicns in a network-facing service may increase risk for RCE. *Proof of Concept: * icns_get_image_from_element() reads a length from the ICNS file and copies it into a statically or heap-allocated buffer without validating that the read length does not exceed the allocated size. This allows out-of-bounds heap access. ASAN_OPTIONS=abort_on_error=1:detect_leaks=0:halt_on_error=1 ./icns2png -x uaf1.icns Reading icns family from uaf1.icns... Extracting icons from uaf1.icns... ================================================================= ==932188==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x507000000068 READ of size 8 at 0x507000000068 thread T0 #0 0xaaaab11f5138 in __asan_memcpy (/root/libicns/icnsutils/icns2png+0xe5138) #1 0xaaaab1240ac4 in icns_get_image_from_element /root/libicns/src/icns_image.c:533:5 #2 0xaaaab123cdfc in icns_get_image32_with_mask_from_family /root/libicns/src/icns_image.c:94:10 #3 0xaaaab12393dc in ExtractAndDescribeIconFamily /root/libicns/icnsutils/icns2png.c:666:14 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- libicns v0.8.1 Heap Buffer Overflow in libicns ICNS Parsing (icns2png) Ron E (Sep 15)