Bug 498368

Summary:	ANI plugin DoS vulnerability
Product:	[Frameworks and Libraries] frameworks-kimageformats	Reporter:	iphydf
Component:	general	Assignee:	Alex Merry <alex.merry>
Status:	RESOLVED FIXED
Severity:	grave	CC:	aacid, kdelibs-bugs-null
Priority:	NOR
Version First Reported In:	6.9.0
Target Milestone:	---
Platform:	Compiled Sources
OS:	All
Latest Commit:	https://invent.kde.org/frameworks/kimageformats/-/commit/f39ca9dc9bff27a7c087fd4fc58c148c0f66914a	Version Fixed/Implemented In:
Sentry Crash Report:

Description iphydf 2025-01-08 01:30:23 UTC

- chunkSizeData is read here: https://github.com/KDE/kimageformats/blob/c97ee00f5e8c0c1caf836fa68416157b1a153e3a/src/imageformats/ani.cpp#L353
- converted to uint32 here: https://github.com/KDE/kimageformats/blob/c97ee00f5e8c0c1caf836fa68416157b1a153e3a/src/imageformats/ani.cpp#L357
- used as argument to read here: https://github.com/KDE/kimageformats/blob/c97ee00f5e8c0c1caf836fa68416157b1a153e3a/src/imageformats/ani.cpp#L379

Resulting in an unbounded read (bounded only by UINT32_MAX), because QIODevice::read will resize its byte array to the passed value here: https://github.com/qt/qtbase/blob/403a47cfd571c9954e91234084c6994901939326/src/corelib/io/qiodevice.cpp#L1213.

Comment 1 Albert Astals Cid 2025-01-08 16:02:58 UTC

Please attach a file that causes a problem.

Comment 2 iphydf 2025-01-08 16:12:23 UTC

https://github.com/TokTok/toktok-stack/blob/31385ffceba1ab2f8672893bbef6c8ef8a32eb07/third_party/kimageformats/test/qimage_test.cpp#L48-L50

Base64-encoded:
```
AFJJRkYOAACAQUNPTgB+YAAAAAAAUklGRg4AAIBBQ09OAH5gAAAAAABzZXEgANra2tra2tra2tra2t
ra2tra2tra2tra2tra2tra2tra2traAAAAAAAAAAAAAAAAAF0=
```

Strip the first byte, then it's an input file that causes this.

Comment 3 Albert Astals Cid 2025-01-08 18:19:35 UTC

i can not reproduce any wrong memory access with that code neigher with valgrind nor with asan.

Do you have a backtrace you can share with us?

Comment 4 iphydf 2025-01-08 23:59:12 UTC

It's not a wrong memory access, it's a 4GB memory allocation. Try setting ulimit to something not unlimited.

Comment 5 Bug Janitor Service 2025-01-13 23:40:46 UTC

A possibly relevant merge request was started @ https://invent.kde.org/frameworks/kimageformats/-/merge_requests/310

Comment 6 Albert Astals Cid 2025-01-14 10:09:01 UTC

Git commit f39ca9dc9bff27a7c087fd4fc58c148c0f66914a by Albert Astals Cid.
Committed on 13/01/2025 at 23:40.
Pushed by mircomir into branch 'master'.

ani: Read chunk elements one at a time instead all at once

This way if the file is malformed and there's not that many elements we don't
try allocate too much memory to read into

M  +7    -5    src/imageformats/ani.cpp

https://invent.kde.org/frameworks/kimageformats/-/commit/f39ca9dc9bff27a7c087fd4fc58c148c0f66914a

Comment 7 iphydf 2025-01-14 10:11:44 UTC

Thank you so much for the quick fixes. I'll be running a fuzzer against all the plugins for a while. If I find more issues, I'll file more bugs. We want to use these plugins for our chat client (qTox) and want to be sure people can't abuse it easily.