CESA-2004-004 - rev 3

http://scary.beasts.org/security/CESA-2004-004.txt

qt 3.3.2 BMP parser heap overflow error

Programs: qt, and any programs which use qt to decode BMP files. For
example, KDE (including konqueror).
Severity: Possible compromise of account used to browse malicious
BMP
files.
CAN identifier(s): CAN-2004-0691

This advisory notes a code flaw discovered by inspection of the qt code.
The specific version of qt discussed is v3.3.2.
qt-3.3.3 has already been released and it contains a fix for this issue.

Flaw 1. Heap-based overflow in read_dib (qimage.cpp).

The handling of 8-bit RLE encoded BMP files is faulty. Interestingly, the 4-bit
RLE encoding handling seems to have the required safety checks.
a) User supplied length used to read into heap buffer without adequate bounds
checking:
default: // absolute mode
if ( d->readBlock( (char *)p, b ) != b )
b) User supplied length used to memset() a piece of heap buffer without
adequate bounds checking:
} else { // encoded mode
memset( p, d->getch(), b ); // repeat pixel
c) User supplied delta pixel co-ordinates used without range checking:
case 2: // delta (jump)
x += d->getch();
y += d->getch();
p = line[h-y-1] + x;

Demo BMP: http://scary.beasts.org/misc/bad.bmp (flaw 1a).

CESA-2004-004 - rev 3
Chris Evans
[email protected]

[Advertisement: I am interested in moving into a security related field
full-time. E-mail me to discuss.]