1 |
----- Forwarded message from chris@××××××××××××.org ----- |
2 |
|
3 |
To: bugtraq@×××××××××××××.com |
4 |
From: chris@××××××××××××.org |
5 |
Date: Thu, 19 Aug 2004 00:35:39 +0100 (BST) |
6 |
Subject: CESA-2004-004: qt |
7 |
|
8 |
|
9 |
CESA-2004-004 - rev 3 |
10 |
|
11 |
http://scary.beasts.org/security/CESA-2004-004.txt |
12 |
|
13 |
qt 3.3.2 BMP parser heap overflow error |
14 |
======================================= |
15 |
|
16 |
Programs: qt, and any programs which use qt to decode BMP files. For |
17 |
example, KDE (including konqueror). |
18 |
Severity: Possible compromise of account used to browse |
19 |
malicious BMP files. |
20 |
|
21 |
CAN identifier(s): CAN-2004-0691 |
22 |
|
23 |
This advisory notes a code flaw discovered by inspection of the qt code. |
24 |
The specific version of qt discussed is v3.3.2. |
25 |
qt-3.3.3 has already been released and it contains a fix for this issue. |
26 |
|
27 |
Flaw 1. Heap-based overflow in read_dib (qimage.cpp). |
28 |
|
29 |
The handling of 8-bit RLE encoded BMP files is faulty. Interestingly, the 4-bit |
30 |
RLE encoding handling seems to have the required safety checks. |
31 |
a) User supplied length used to read into heap buffer without adequate bounds |
32 |
checking: |
33 |
default: // absolute mode |
34 |
if ( d->readBlock( (char *)p, b ) != b ) |
35 |
b) User supplied length used to memset() a piece of heap buffer without |
36 |
adequate bounds checking: |
37 |
} else { // encoded mode |
38 |
memset( p, d->getch(), b ); // repeat pixel |
39 |
c) User supplied delta pixel co-ordinates used without range checking: |
40 |
case 2: // delta (jump) |
41 |
x += d->getch(); |
42 |
y += d->getch(); |
43 |
p = line[h-y-1] + x; |
44 |
|
45 |
Demo BMP: http://scary.beasts.org/misc/bad.bmp (flaw 1a). |
46 |
|
47 |
|
48 |
CESA-2004-004 - rev 3 |
49 |
Chris Evans |
50 |
chris@××××××××××××.org |
51 |
|
52 |
[Advertisement: I am interested in moving into a security related field |
53 |
full-time. E-mail me to discuss.] |
54 |
|
55 |
----- End forwarded message ----- |
56 |
|
57 |
greetz, |
58 |
haaner |
59 |
|
60 |
-- |
61 |
gentoo-security@g.o mailing list |