CESA-2004-004 - rev 3

http://scary.beasts.org/security/CESA-2004-004.txt

qt 3.3.2 BMP parser heap overflow error
=======================================

Programs:          qt, and any programs which use qt to decode BMP files. For
                   example, KDE (including konqueror).
Severity:          Possible compromise of account used to browse malicious
BMP
                   files.
CAN identifier(s): CAN-2004-0691

This advisory notes a code flaw discovered by inspection of the qt code.
The specific version of qt discussed is v3.3.2.
qt-3.3.3 has already been released and it contains a fix for this issue.

Flaw 1. Heap-based overflow in read_dib (qimage.cpp).

The handling of 8-bit RLE encoded BMP files is faulty. Interestingly, the 4-bit
RLE encoding handling seems to have the required safety checks.
a) User supplied length used to read into heap buffer without adequate bounds
checking:
     default:    // absolute mode
          if ( d->readBlock( (char *)p, b ) != b )
b) User supplied length used to memset() a piece of heap buffer without
adequate bounds checking:
    } else {      // encoded mode
        memset( p, d->getch(), b ); // repeat pixel
c) User supplied delta pixel co-ordinates used without range checking:
      case 2:     // delta (jump)
          x += d->getch();
          y += d->getch();
          p = line[h-y-1] + x;

Demo BMP: http://scary.beasts.org/misc/bad.bmp (flaw 1a).


CESA-2004-004 - rev 3
Chris Evans
chris@scary.beasts.org

[Advertisement: I am interested in moving into a security related field
 full-time. E-mail me to discuss.]