498368 – ANI plugin DoS vulnerability

Bug 498368 - ANI plugin DoS vulnerability

Summary: ANI plugin DoS vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	frameworks-kimageformats
Classification:	Frameworks and Libraries
Component:	general (show other bugs)
Version:	6.9.0
Platform:	Compiled Sources All

Importance:	NOR grave
Target Milestone:	---
Assignee:	Alex Merry

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-01-08 01:30 UTC by iphydf
Modified:	2025-01-14 10:11 UTC (History)
CC List:	2 users (show)

See Also:
Latest Commit:	https://invent.kde.org/frameworks/kimageformats/-/commit/f39ca9dc9bff27a7c087fd4fc58c148c0f66914a
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description iphydf 2025-01-08 01:30:23 UTC

- chunkSizeData is read here: https://github.com/KDE/kimageformats/blob/c97ee00f5e8c0c1caf836fa68416157b1a153e3a/src/imageformats/ani.cpp#L353
- converted to uint32 here: https://github.com/KDE/kimageformats/blob/c97ee00f5e8c0c1caf836fa68416157b1a153e3a/src/imageformats/ani.cpp#L357
- used as argument to read here: https://github.com/KDE/kimageformats/blob/c97ee00f5e8c0c1caf836fa68416157b1a153e3a/src/imageformats/ani.cpp#L379

Resulting in an unbounded read (bounded only by UINT32_MAX), because QIODevice::read will resize its byte array to the passed value here: https://github.com/qt/qtbase/blob/403a47cfd571c9954e91234084c6994901939326/src/corelib/io/qiodevice.cpp#L1213.

Comment 1 Albert Astals Cid 2025-01-08 16:02:58 UTC

Please attach a file that causes a problem.

Comment 2 iphydf 2025-01-08 16:12:23 UTC

https://github.com/TokTok/toktok-stack/blob/31385ffceba1ab2f8672893bbef6c8ef8a32eb07/third_party/kimageformats/test/qimage_test.cpp#L48-L50

Base64-encoded:
```
AFJJRkYOAACAQUNPTgB+YAAAAAAAUklGRg4AAIBBQ09OAH5gAAAAAABzZXEgANra2tra2tra2tra2t
ra2tra2tra2tra2tra2tra2tra2traAAAAAAAAAAAAAAAAAF0=
```

Strip the first byte, then it's an input file that causes this.

Comment 3 Albert Astals Cid 2025-01-08 18:19:35 UTC

i can not reproduce any wrong memory access with that code neigher with valgrind nor with asan.

Do you have a backtrace you can share with us?

Comment 4 iphydf 2025-01-08 23:59:12 UTC

It's not a wrong memory access, it's a 4GB memory allocation. Try setting ulimit to something not unlimited.

Comment 5 Bug Janitor Service 2025-01-13 23:40:46 UTC

A possibly relevant merge request was started @ https://invent.kde.org/frameworks/kimageformats/-/merge_requests/310

Comment 6 Albert Astals Cid 2025-01-14 10:09:01 UTC

Git commit f39ca9dc9bff27a7c087fd4fc58c148c0f66914a by Albert Astals Cid.
Committed on 13/01/2025 at 23:40.
Pushed by mircomir into branch 'master'.

ani: Read chunk elements one at a time instead all at once

This way if the file is malformed and there's not that many elements we don't
try allocate too much memory to read into

M  +7    -5    src/imageformats/ani.cpp

https://invent.kde.org/frameworks/kimageformats/-/commit/f39ca9dc9bff27a7c087fd4fc58c148c0f66914a

Comment 7 iphydf 2025-01-14 10:11:44 UTC

Thank you so much for the quick fixes. I'll be running a fuzzer against all the plugins for a while. If I find more issues, I'll file more bugs. We want to use these plugins for our chat client (qTox) and want to be sure people can't abuse it easily.