Summary: | Corrupt PCX files crashes gwenview | ||
---|---|---|---|
Product: | [Unmaintained] kdelibs | Reporter: | Bruno Rohee <bruno+kde> |
Component: | kimgio | Assignee: | security |
Status: | RESOLVED FIXED | ||
Severity: | crash | ||
Priority: | NOR | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Platform: | unspecified | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: | ||
Sentry Crash Report: | |||
Attachments: |
Zip containing test images
BABYQUIL.PCX kimgio_pcx.patch kdelibs/kimgio patch |
Description
Bruno Rohee
2005-03-24 00:10:26 UTC
Created attachment 10321 [details]
Zip containing test images
Sorry the URL in the report are not valid anymore
Nah, seems to be a false alert. No security problem, just a normal crash. The images have large dimensions, so QImage creation fails, QImage::scanLine() returns NULL and the NULL pointer is used for writing. Nothing else, I don't see how this could be exploitable. OK this is not too bad, some other package use a wrapped around value for malloc() then proceed to write in non allocated memory. If no calculation is made using dimensions you are quite safe, you should just maybe add a check because file length is obviously not in sync with the alleged image size... I think there might be a problem if BytesPerLine is larger than w See also attached image that I found on the web. Created attachment 10324 [details]
BABYQUIL.PCX
Created attachment 10325 [details]
kimgio_pcx.patch
Patch, please review carefully for correctness.
Created attachment 10326 [details]
kdelibs/kimgio patch
This should take care of the missing checks after QImage creation. But Waldo is
right about the potentional problem.
fixed by security update last week. |