Color Profile Injection (CPI)

>> Home » Blog » Color Profile Injection (CPI)

Estimated reading time: 2 minutes

tl;dr: Color Profile Injection is due to untrusted inputs within color profile blobs.

Why? Color profiles rely on offset and length fields, enabling crafted profile data to corrupt neighboring structures.

oob nan ubsan CIccCLUT Interp2d IccTagLut example ICC Color Profile Injection Pollution User Controllable Input

Color Profile Injection Background

Color Profile Injection (CPI) occurs because user-controllable inputs can corrupt a color profile binary layout.

Resulting impact includes memory corruption, logic bypasses, and potential code execution.

Do not construct color profiles using string or byte concatenation.
Check all user-controlled data that influences color profile content:
- Check & enforce fixed lengths
- Reject unexpected or unexpected binary data
Make sure user input can’t affect offsets, tag counts, or size fields

These controls are commonly used but are not sufficient:

Escaping or limiting text input
Color profiles are binary formats; character-based sanitization does not prevent binary structure changes.
Trusting earlier data (second-order injection)
Color profile data that passes validation at creation time later be reprocessed. Different components can have different parsing assumptions.
Only using third-party libraries is not enough.
Libraries do not prevent injection when user input is allowed to influence structural fields such as offsets or lengths.

CWE-20 – Improper Input Validation
https://cwe.mitre.org/data/definitions/20.html
CWE-119 – Improper Restriction of Operations within the Bounds of a Memory Buffer
https://cwe.mitre.org/data/definitions/119.html
CWE-707 – Improper Neutralization
https://cwe.mitre.org/data/definitions/707.html