Apple ColorSync: use of uninitialized memory in CMMNDimLinear::Interpolate

We discussed this vulnerability as part of our weekly podcast on 01 December 2021

Uninitialized use found in Appleā€™s ColorSync via fuzzing. When parsing an image, the library will calculate the start address for reading from a Color Lookup Table (CLUT) data point array for pixel data. It will do this by indexing into it using 2 * x * y. But if the in_channels field in the header is set to 0, the y coordinate never gets initialized, and is left as whatever was left on the stack in that location. As such, if that stale value is really large or negative, the array access goes out of bounds and triggers the crash.