Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

libicns v0.8.1 Heap Buffer Overflow in libicns ICNS Parsing (icns2png)

From: Ron E <ronaldjedgerson () gmail com>
Date: Thu, 11 Sep 2025 03:02:56 -0400
libicns, a library used for parsing Apple ICNS image files, contains a
heap-based buffer overflow in the icns2png utility and associated library
components (icns_image.c). The vulnerability occurs when parsing malformed
ICNS files where element sizes are crafted to exceed the allocated heap
buffer. Specifically, the function icns_get_image_from_element() performs a
memcpy() using a length field read from the ICNS element without proper
bounds checking against the allocated buffer. When triggered with a
specially crafted ICNS file (e.g., uaf1.icns), the parser performs an
out-of-bounds read on the heap, resulting in a crash. The issue can be
triggered by any local user or by supplying a malicious ICNS file to an
application that uses libicns for image extraction or processing.

*Impact:*

   - The process parsing the ICNS file crashes, preventing further
   execution.
   - Heap corruption occurs during the overflow; applications embedding
   libicns may be exposed to undefined behavior.
   - Low likelihood in standard CLI usage, but embedding libicns in a
   network-facing service may increase risk for RCE.


*Proof of Concept: *

icns_get_image_from_element() reads a length from the ICNS file and copies
it into a statically or heap-allocated buffer without validating that the
read length does not exceed the allocated size. This allows out-of-bounds
heap access.


ASAN_OPTIONS=abort_on_error=1:detect_leaks=0:halt_on_error=1 ./icns2png -x
uaf1.icns


Reading icns family from uaf1.icns...

Extracting icons from uaf1.icns...

=================================================================

==932188==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x507000000068

READ of size 8 at 0x507000000068 thread T0

    #0 0xaaaab11f5138 in __asan_memcpy
(/root/libicns/icnsutils/icns2png+0xe5138)

    #1 0xaaaab1240ac4 in icns_get_image_from_element
/root/libicns/src/icns_image.c:533:5

    #2 0xaaaab123cdfc in icns_get_image32_with_mask_from_family
/root/libicns/src/icns_image.c:94:10

    #3 0xaaaab12393dc in ExtractAndDescribeIconFamily
/root/libicns/icnsutils/icns2png.c:666:14
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: