Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-security

From: Heiko Vogel <haaner@×××.de>
To: gentoo-security@l.g.o
Subject: [gentoo-security] qt-3.3.2 -- heap overflow error
Date: Fri, 20 Aug 2004 13:37:32
Message-Id: 87hdqy7x3m.fsf@BigBird.foellmar.de
1 ----- Forwarded message from chris@××××××××××××.org -----
2
3 To: bugtraq@×××××××××××××.com
4 From: chris@××××××××××××.org
5 Date: Thu, 19 Aug 2004 00:35:39 +0100 (BST)
6 Subject: CESA-2004-004: qt
7
8
9 CESA-2004-004 - rev 3
10
11 http://scary.beasts.org/security/CESA-2004-004.txt
12
13 qt 3.3.2 BMP parser heap overflow error
14 =======================================
15
16 Programs: qt, and any programs which use qt to decode BMP files. For
17 example, KDE (including konqueror).
18 Severity: Possible compromise of account used to browse
19 malicious BMP files.
20
21 CAN identifier(s): CAN-2004-0691
22
23 This advisory notes a code flaw discovered by inspection of the qt code.
24 The specific version of qt discussed is v3.3.2.
25 qt-3.3.3 has already been released and it contains a fix for this issue.
26
27 Flaw 1. Heap-based overflow in read_dib (qimage.cpp).
28
29 The handling of 8-bit RLE encoded BMP files is faulty. Interestingly, the 4-bit
30 RLE encoding handling seems to have the required safety checks.
31 a) User supplied length used to read into heap buffer without adequate bounds
32 checking:
33 default: // absolute mode
34 if ( d->readBlock( (char *)p, b ) != b )
35 b) User supplied length used to memset() a piece of heap buffer without
36 adequate bounds checking:
37 } else { // encoded mode
38 memset( p, d->getch(), b ); // repeat pixel
39 c) User supplied delta pixel co-ordinates used without range checking:
40 case 2: // delta (jump)
41 x += d->getch();
42 y += d->getch();
43 p = line[h-y-1] + x;
44
45 Demo BMP: http://scary.beasts.org/misc/bad.bmp (flaw 1a).
46
47
48 CESA-2004-004 - rev 3
49 Chris Evans
50 chris@××××××××××××.org
51
52 [Advertisement: I am interested in moving into a security related field
53 full-time. E-mail me to discuss.]
54
55 ----- End forwarded message -----
56
57 greetz,
58 haaner
59
60 --
61 gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] qt-3.3.2 -- heap overflow error Ned Ludd <solar@g.o>
Report Message
Find on MARC Find on Google Groups