lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0408190034030.13283@sphinx.mythic-beasts.com>
Date: Thu, 19 Aug 2004 00:35:39 +0100 (BST)
From: chris@...ry.beasts.org
To: bugtraq@...urityfocus.com
Subject: CESA-2004-004: qt



CESA-2004-004 - rev 3

http://scary.beasts.org/security/CESA-2004-004.txt

qt 3.3.2 BMP parser heap overflow error
=======================================

Programs:          qt, and any programs which use qt to decode BMP files. For
                   example, KDE (including konqueror).
Severity:          Possible compromise of account used to browse malicious
BMP
                   files.
CAN identifier(s): CAN-2004-0691

This advisory notes a code flaw discovered by inspection of the qt code.
The specific version of qt discussed is v3.3.2.
qt-3.3.3 has already been released and it contains a fix for this issue.

Flaw 1. Heap-based overflow in read_dib (qimage.cpp).

The handling of 8-bit RLE encoded BMP files is faulty. Interestingly, the 4-bit
RLE encoding handling seems to have the required safety checks.
a) User supplied length used to read into heap buffer without adequate bounds
checking:
     default:    // absolute mode
          if ( d->readBlock( (char *)p, b ) != b )
b) User supplied length used to memset() a piece of heap buffer without
adequate bounds checking:
    } else {      // encoded mode
        memset( p, d->getch(), b ); // repeat pixel
c) User supplied delta pixel co-ordinates used without range checking:
      case 2:     // delta (jump)
          x += d->getch();
          y += d->getch();
          p = line[h-y-1] + x;

Demo BMP: http://scary.beasts.org/misc/bad.bmp (flaw 1a).


CESA-2004-004 - rev 3
Chris Evans
chris@...ry.beasts.org

[Advertisement: I am interested in moving into a security related field
 full-time. E-mail me to discuss.]


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ