Fwd: CESA-2004-004: qt

Archaic archaic at linuxfromscratch.org
Thu Aug 19 19:05:55 PDT 2004

----- Forwarded message from chris at scary.beasts.org -----

To: bugtraq at securityfocus.com
From: chris at scary.beasts.org
Date: Thu, 19 Aug 2004 00:35:39 +0100 (BST)
Subject: CESA-2004-004: qt

CESA-2004-004 - rev 3


qt 3.3.2 BMP parser heap overflow error

Programs:          qt, and any programs which use qt to decode BMP files. For
                   example, KDE (including konqueror).
Severity:          Possible compromise of account used to browse malicious
CAN identifier(s): CAN-2004-0691

This advisory notes a code flaw discovered by inspection of the qt code.
The specific version of qt discussed is v3.3.2.
qt-3.3.3 has already been released and it contains a fix for this issue.

Flaw 1. Heap-based overflow in read_dib (qimage.cpp).

The handling of 8-bit RLE encoded BMP files is faulty. Interestingly, the 4-bit
RLE encoding handling seems to have the required safety checks.
a) User supplied length used to read into heap buffer without adequate bounds
     default:    // absolute mode
          if ( d->readBlock( (char *)p, b ) != b )
b) User supplied length used to memset() a piece of heap buffer without
adequate bounds checking:
    } else {      // encoded mode
        memset( p, d->getch(), b ); // repeat pixel
c) User supplied delta pixel co-ordinates used without range checking:
      case 2:     // delta (jump)
          x += d->getch();
          y += d->getch();
          p = line[h-y-1] + x;

Demo BMP: http://scary.beasts.org/misc/bad.bmp (flaw 1a).

CESA-2004-004 - rev 3
Chris Evans
chris at scary.beasts.org

[Advertisement: I am interested in moving into a security related field
 full-time. E-mail me to discuss.]

----- End forwarded message -----


The people cannot delegate to government the power to do anything which
would be unlawful for them to do themselves.

- John Locke, "A Treatise Concerning Civil Government"

More information about the lfs-security mailing list