Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1054

We have encountered a crash in the Windows Color Management library (icm32.dll), in the icm32!LHCalc3toX_Di16_Do16_Lut8_G32 function, while trying to translate colors based on a malformed color profile file:

---
(61e4.8620): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000453 ecx=0922cafd edx=00000c63 esi=0038f7ac edi=0004be40
eip=6ac573e9 esp=0038f6ec ebp=0038f784 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
icm32!LHCalc3toX_Di16_Do16_Lut8_G32+0x32a:
6ac573e9 0fb61411        movzx   edx,byte ptr [ecx+edx]     ds:002b:0922d760=??
0:000> kb
ChildEBP RetAddr  Args to Child              
0038f784 6ac57844 0038f7ac 0038f840 00000000 icm32!LHCalc3toX_Di16_Do16_Lut8_G32+0x32a
0038f798 6ac4807d 0038f7ac 0038f840 76f611a9 icm32!LHCalc3to3_Di16_Do16_Lut8_G32+0x12
0038f8ac 6ac4204c 07b46e58 085f1000 000285c3 icm32!LHMatchColorsPrivate+0xef
0038f8c0 6c5ecab5 00000100 07de1000 000285c3 icm32!CMTranslateColors+0x44
0038f940 011c1963 4f42e2c8 07de1000 000285c3 mscms!TranslateColors+0x108
[...]
---

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled. In order to reproduce the problem with the provided samples, it is necessary to use a dedicated program which loads the file, creates a color transform and translates some colors.

Attached are two color profiles which trigger the crash at two different offsets within the icm32!LHCalc3toX_Di16_Do16_Lut8_G32 function.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41659.zip