Version: 3.2.0 (using KDE KDE 3.2.3) Installed from: Mandrake RPMs Compiler: gcc 3.3.2 OS: Linux http://www.securitytracker.com/alerts/2004/Apr/1009746.html According to the report, the target user's Internet Explorer (and Konqueror) browser will allocate memory for the bitmap file based on the user-supplied image size in the bitmap file. A 58 byte bitmap can reportedly cause up to 51,539,607,528 bytes of memory to be allocated on the target user's system. The vulnerability can reportedly be triggered via HTML that references an affected bitmap file. A demonstration exploit is available at: http://www.4rman.com/exploits/tinybmp.htm Visiting that URL from konqueror crashes it. Note that visiting the problem bitmap file, http://www.4rman.com/exploits/little2.bmp will also crash konqueror. The image specifies its size as 1114111 x 121. Interestingly, http://www.4rman.com/exploits/little.bmp will not crash konqueror, and it specifies its size as 1114111 x 202.
I got a crash running kde 3.3.1 visiting: http://www.4rman.com/exploits/tinybmp.htm I didn't get a chance to save a backtrace because crash-reporter thing didn't show up. [I do have debug stuff enabled and have made other backtraces this afternoon]. no crashes for visiting either *.bmp sites but I don't have kdegraphics installed and have no idea if that makes any differences. It eats 100% CPU cycles, ram and swap space and then crashes.
The *.bmp files wouldn't crash konqueror here, 3.4.0. But the tinybmp.htm did crash konqueror, and once again I couldn't get a backtrace because I wasn't given the option despite having made backtraces earlier on for this session.
I can confirm this bug with kdelibs & kdebase compiled from SVN (version: 3.4.89 (>= 20050615) ) I didn't wait long enough for a crash, I just saw it suck the rest of my RAM as quickly as possible on my machine and then work my HDD to the ground with all the swap access before killing it myself to get a responsive desktop back. A full 20 votes for this bug, because my biggest (only?) beef with Konqueror is the RAM it takes up if I don't close it every couple days, and I suspect this bug could have something to do with it, or may reveal the true cause when this is investigated.
I can confirm this with konqueror 3.5.4 from slackware 11.0 packages.
The original site is no longer active, it can be tested from now on at: http://web.archive.org/web/20040416105100/http://www.4rman.com/exploits/tinybmp.htm
It does not uses exceptional memory, neither crash in 4.1.60 svn trunk 831729
Can't reproduce too, so I close this bug.