[frameworks-kimageformats] [Bug 498368] New: ANI plugin DoS vulnerability

Tue, 07 Jan 2025 17:30:32 -0800 

https://bugs.kde.org/show_bug.cgi?id=498368

            Bug ID: 498368
           Summary: ANI plugin DoS vulnerability
    Classification: Frameworks and Libraries
           Product: frameworks-kimageformats
           Version: 6.9.0
          Platform: Compiled Sources
                OS: All
            Status: REPORTED
          Severity: grave
          Priority: NOR
         Component: general
          Assignee: alex.me...@kde.org
          Reporter: iph...@gmail.com
                CC: aa...@kde.org, kdelibs-b...@kde.org
  Target Milestone: ---

- chunkSizeData is read here:
https://github.com/KDE/kimageformats/blob/c97ee00f5e8c0c1caf836fa68416157b1a153e3a/src/imageformats/ani.cpp#L353
- converted to uint32 here:
https://github.com/KDE/kimageformats/blob/c97ee00f5e8c0c1caf836fa68416157b1a153e3a/src/imageformats/ani.cpp#L357
- used as argument to read here:
https://github.com/KDE/kimageformats/blob/c97ee00f5e8c0c1caf836fa68416157b1a153e3a/src/imageformats/ani.cpp#L379

Resulting in an unbounded read (bounded only by UINT32_MAX), because
QIODevice::read will resize its byte array to the passed value here:
https://github.com/qt/qtbase/blob/403a47cfd571c9954e91234084c6994901939326/src/corelib/io/qiodevice.cpp#L1213.

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to