pool/kimageformats
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Let's use the full patch instead

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/KDE:Frameworks5/kimageformats?expand=0&rev=162
This commit is contained in:
Fabian Vogt 2019-01-28 13:31:56 +00:00 committed by Git OBS Bridge
parent 863dc72219
commit 60cfeba6d1
1 changed files with 39 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
0001-Fix-various-OOB-reads-and-writes-in-kimg_tga-and-kim.patch
View File

@ -1,13 +1,47 @@
From 20b6fef093ab276a532d015a192e62d7219c939a Mon Sep 17 00:00:00 2001
From 51d710adda146bc19427c9ea3443c9e0919e6647 Mon Sep 17 00:00:00 2001
From: Fabian Vogt <fabian@ritter-vogt.de>
Date: Sun, 20 Jan 2019 12:51:02 +0100
Subject: [PATCH] Fix various OOB reads and writes in kimg_tga and kimg_xcf
Test Plan: No crash anymore.
Summary:
I had a look at some image loading code in kimageformats and found memory
corruption bugs (there might be more):
- oobwrite4b.xcf: OOB write in kimg_xcf:
By overflowing the "size = 3 * ncolors + 4;" calculation, it's possible to make
size == 3 or size == 0, which then allows 1 or 4 bytes to be overwritten:
https://cgit.kde.org/kimageformats.git/tree/src/imageformats/xcf.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n484
The values aren't arbitrary, so AFAICT DoS only.
Fix is to move the sanity check for size below the assignment.
- oobread.tga: OOB read in kimg_tga:
By overflowing the "size = tga.width * tga.height * pixel_size" calculation,
it's possible to cause OOB reads later on as the image data array is too small:
https://cgit.kde.org/kimageformats.git/tree/src/imageformats/tga.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n192
Fix is to use a 64bit integer instead.
- oobwrite4b.tga/oobwrite507.tga: OOB write in kimg_tga
If RLE is enabled, any size checks are skipped, so it's possible to write
either 128 repetitions of an arbitrary four byte value (oobwrite4b.tga)
or or 507 arbitrary bytes (oobwrite507.tga) out of bounds.
https://cgit.kde.org/kimageformats.git/tree/src/imageformats/tga.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n209
Fix is to check for "num" being negative before reading into the buffer.
Also, bail out early if there is no more data available (reading a 65kx65k px image from 14B data takes ages otherwise)
Test Plan:
Stopped crashing and valgrind don't complain anymore.
TGA preview still works for valid files.
Reviewers: aacid
Subscribers: kde-frameworks-devel
Reviewed By: aacid
Subscribers: lbeltrame, kde-frameworks-devel
Tags: #frameworks
@ -89,10 +123,10 @@ index 3a22b45..9217bed 100644
return true;
}
diff --git a/src/imageformats/xcf.cpp b/src/imageformats/xcf.cpp
index 758b65e..824d67a 100644
index f837112..3afb599 100644
--- a/src/imageformats/xcf.cpp
+++ b/src/imageformats/xcf.cpp
@@ -489,11 +489,12 @@ bool XCFImageFormat::loadProperty(QDataStream &xcf_io, PropType &type, QByteArra
@@ -495,11 +495,12 @@ bool XCFImageFormat::loadProperty(QDataStream &xcf_io, PropType &type, QByteArra
quint32 ncolors;
xcf_io >> ncolors;