Version: (using KDE KDE 3.4.0)
Installed from: I Don't Know
Tried on the Debian testing of a colleague, should be up to date, I ignore the exact version.
Some corrupt PCX files crash gwenview badly and it could maybe be exploitable.
To see in action try loading
http://pobox.com/~newt/test/overflow-8.pcx 15561 bytes
http://pobox.com/~newt/test/overflow-24.pcx 40334 bytes
That are slightly changed from the valid PCX files
http://pobox.com/~newt/test/grass-8.pcx 15561 bytes
http://pobox.com/~newt/test/grass-24.pcx 40334 bytes
If you could mark that bug confidential that would be nice, people could try exploit this. There will be an advisory about that later (there are other programs suffering the same problem).
Created attachment 10321 [details]
Zip containing test images
Sorry the URL in the report are not valid anymore
Nah, seems to be a false alert. No security problem, just a normal crash. The images have large dimensions, so QImage creation fails, QImage::scanLine() returns NULL and the NULL pointer is used for writing. Nothing else, I don't see how this could be exploitable.
OK this is not too bad, some other package use a wrapped around value for malloc() then proceed to write in non allocated memory.
If no calculation is made using dimensions you are quite safe, you should just maybe add a check because file length is obviously not in sync with the alleged image size...
I think there might be a problem if BytesPerLine is larger than w
See also attached image that I found on the web.
Created attachment 10324 [details]
Created attachment 10325 [details]
Patch, please review carefully for correctness.
Created attachment 10326 [details]
This should take care of the missing checks after QImage creation. But Waldo is
right about the potentional problem.
fixed by security update last week.