漏洞修改说明

qt 5.6

CVE-2015-9541

问题描述

Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.

修改情况

参考社区修改已修补, https://codereview.qt-project.org/c/qt/qtbase/+/293909

--- a/src/corelib/serialization/qxmlstream_p.h
+++ b/src/corelib/serialization/qxmlstream_p.h
@@ -774,9 +774,19 @@
     QHash<QStringView, Entity> entityHash;
     QHash<QStringView, Entity> parameterEntityHash;
     QXmlStreamSimpleStack<Entity *>entityReferenceStack;
+    int entityExpansionLimit = 4096;
+    int entityLength = 0;
     inline bool referenceEntity(Entity &entity) {
         if (entity.isCurrentlyReferenced) {
-            raiseWellFormedError(QXmlStream::tr("Recursive entity detected."));
+            raiseWellFormedError(QXmlStream::tr("Self-referencing entity detected."));
+            return false;
+        }
+        // entityLength represents the amount of additional characters the
+        // entity expands into (can be negative for e.g. &amp;). It's used to
+        // avoid DoS attacks through recursive entity expansions
+        entityLength += entity.value.size() - entity.name.size() - 2;
+        if (entityLength > entityExpansionLimit) {
+            raiseWellFormedError(QXmlStream::tr("Entity expands to more characters than the entity expansion limit."));
             return false;
         }
         entity.isCurrentlyReferenced = true;

@@ -1308,6 +1318,8 @@

         case 10:
             entityReferenceStack.pop()->isCurrentlyReferenced = false;
+            if (entityReferenceStack.isEmpty())
+                entityLength = 0;
             clearSym();
         break;

CVE-2020-17507

问题描述:

An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.

修改情况:

误报,超图使用的是qt5.6版本,不在报告的版本范围。

CVE-2017-15011

问题描述:

The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.

修改情况:

误报,产品包中并没有用到qbittorrent

CVE-2018-19871

问题描述

An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.

修改情况:

参考社区修改已修补,https://codereview.qt-project.org/c/qt/qtimageformats/+/237761

--- a/src/plugins/imageformats/tga/qtgafile.cpp
+++ b/src/plugins/imageformats/tga/qtgafile.cpp
@@ -163,6 +163,12 @@
     if (!validDepth)
     {
         mErrorMessage = tr("Image depth not valid");
+        return;
+    }
+    if (quint64(width()) * quint64(height()) > (8192 * 8192))
+    {
+        mErrorMessage = tr("Image size exceeds limit");
+        return;
     }
     int curPos = mDevice->pos();
     int fileBytes = mDevice->size();
@@ -233,6 +239,8 @@
     unsigned char yCorner = desc & 0x20; // 0 = lower, 1 = upper
     QImage im(imageWidth, imageHeight, QImage::Format_ARGB32);
+    if (im.isNull())
+        return QImage();
     TgaReader *reader = 0;
     if (bitsPerPixel == 16)
         reader = new Tga16Reader();

CVE-2018-19869

问题描述:

An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.

修改情况:

参考社区修改已修补,https://codereview.qt-project.org/c/qt/qtsvg/+/234142

--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -774,16 +774,17 @@
 static QString idFromUrl(const QString &url)
 {
     QString::const_iterator itr = url.constBegin();
-    while ((*itr).isSpace())
+    QString::const_iterator end = url.constEnd();
+    while (itr != end && (*itr).isSpace())
         ++itr;
-    if ((*itr) == QLatin1Char('('))
+    if (itr != end && (*itr) == QLatin1Char('('))
         ++itr;
-    while ((*itr).isSpace())
+    while (itr != end && (*itr).isSpace())
         ++itr;
-    if ((*itr) == QLatin1Char('#'))
+    if (itr != end && (*itr) == QLatin1Char('#'))
         ++itr;
     QString id;
-    while ((*itr) != QLatin1Char(')')) {
+    while (itr != end && (*itr) != QLatin1Char(')')) {
         id += *itr;
         ++itr;
     }

CVE-2018-15518

问题描述:

QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.

修改情况:

参考社区修改已修补,https://codereview.qt-project.org/c/qt/qtbase/+/236691

CVE-2017-10905

问题描述:

A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.

修改情况:

误报,为qt android版本出现的问题,pc版本无

CVE-2017-10904

问题描述:

Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.

修改情况:

参考社区修改已修补, https://www.qt.io/blog/2017/11/22/security-advisory-qt-android

CVE-2018-19870

问题描述:

An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.

修改情况:

参考社区修改已修补, https://codereview.qt-project.org/c/qt/qtbase/+/235998

--- a/src/plugins/imageformats/gif/qgifhandler.cpp
+++ b/src/plugins/imageformats/gif/qgifhandler.cpp
@@ -354,7 +354,8 @@
                     (*image) = QImage(swidth, sheight, format);
                     bpl = image->bytesPerLine();
                     bits = image->bits();
-                    memset(bits, 0, image->sizeInBytes());
+                    if (bits)
+                        memset(bits, 0, image->sizeInBytes());
                 }
                 // Check if the previous attempt to create the image failed. If it
@@ -415,6 +416,10 @@
                         backingstore = QImage(qMax(backingstore.width(), w),
                                               qMax(backingstore.height(), h),
                                               QImage::Format_RGB32);
+                        if (backingstore.isNull()) {
+                            state = Error;
+                            return -1;
+                        }
                         memset(backingstore.bits(), 0, backingstore.sizeInBytes());
                     }
                     const int dest_bpl = backingstore.bytesPerLine();

CVE-2018-21035

问题描述:

In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).

修改情况:

参考社区修改已修补, https://codereview.qt-project.org/c/qt/qtwebsockets/+/284735

--- a/src/websockets/qwebsocket.h
+++ b/src/websockets/qwebsocket.h
@@ -115,6 +115,17 @@
     qint64 bytesToWrite() const;
+    void setMaxAllowedIncomingFrameSize(quint64 maxAllowedIncomingFrameSize);
+    quint64 maxAllowedIncomingFrameSize() const;
+    void setMaxAllowedIncomingMessageSize(quint64 maxAllowedIncomingMessageSize);
+    quint64 maxAllowedIncomingMessageSize() const;
+    static quint64 maxIncomingMessageSize();
+    static quint64 maxIncomingFrameSize();
+
+    void setOutgoingFrameSize(quint64 outgoingFrameSize);
+    quint64 outgoingFrameSize() const;
+    static quint64 maxOutgoingFrameSize();
+
 public Q_SLOTS:
     void close(QWebSocketProtocol::CloseCode closeCode = QWebSocketProtocol::CloseCodeNormal,
                const QString &reason = QString());
--- a/src/websockets/qwebsocket.cpp
+++ b/src/websockets/qwebsocket.cpp
@@ -788,4 +788,115 @@
     return d->m_pSocket ? d->m_pSocket->bytesToWrite() : 0;
 }
+/*!
+    \since 5.15
+    Sets the maximum allowed size of an incoming websocket frame to \a maxAllowedIncomingFrameSize.
+    If an incoming frame exceeds this limit, the peer gets disconnected.
+    The accepted range is between 0 and maxIncomingFrameSize(), default is maxIncomingFrameSize().
+    The purpose of this function is to avoid exhausting virtual memory.
+
+    \sa maxAllowedIncomingFrameSize()
+ */
+void QWebSocket::setMaxAllowedIncomingFrameSize(quint64 maxAllowedIncomingFrameSize)
+{
+    Q_D(QWebSocket);
+    d->setMaxAllowedIncomingFrameSize(maxAllowedIncomingFrameSize);
+}
+
+/*!
+    \since 5.15
+    Returns the maximum allowed size of an incoming websocket frame.
+
+    \sa setMaxAllowedIncomingFrameSize()
+ */
+quint64 QWebSocket::maxAllowedIncomingFrameSize() const
+{
+    Q_D(const QWebSocket);
+    return d->maxAllowedIncomingFrameSize();
+}
+
+/*!
+    \since 5.15
+    Sets the maximum allowed size of an incoming websocket message to \a maxAllowedIncomingMessageSize.
+    If an incoming message exceeds this limit, the peer gets disconnected.
+    The accepted range is between 0 and maxIncomingMessageSize(), default is maxIncomingMessageSize().
+    The purpose of this function is to avoid exhausting virtual memory.
+
+    \sa maxAllowedIncomingMessageSize()
+ */
+void QWebSocket::setMaxAllowedIncomingMessageSize(quint64 maxAllowedIncomingMessageSize)
+{
+    Q_D(QWebSocket);
+    d->setMaxAllowedIncomingMessageSize(maxAllowedIncomingMessageSize);
+}
+
+/*!
+    \since 5.15
+    Returns the maximum allowed size of an incoming websocket message.
+
+    \sa setMaxAllowedIncomingMessageSize()
+ */
+quint64 QWebSocket::maxAllowedIncomingMessageSize() const
+{
+    Q_D(const QWebSocket);
+    return d->maxAllowedIncomingMessageSize();
+}
+
+/*!
+    \since 5.15
+    Returns the maximum supported size of an incoming websocket message for this websocket
+    implementation.
+ */
+quint64 QWebSocket::maxIncomingMessageSize()
+{
+    return QWebSocketPrivate::maxIncomingMessageSize();
+}
+
+/*!
+    \since 5.15
+    Returns the maximum supported size of an incoming websocket frame for this websocket
+    implementation.
+ */
+quint64 QWebSocket::maxIncomingFrameSize()
+{
+    return QWebSocketPrivate::maxIncomingFrameSize();
+}
+
+/*!
+    \since 5.15
+    Sets the maximum size of an outgoing websocket frame to \a outgoingFrameSize.
+    The accepted range is between 0 and maxOutgoingFrameSize(), default is 512kB.
+    The purpose of this function is to adapt to the maximum allowed frame size
+    of the receiver.
+
+    \sa outgoingFrameSize()
+ */
+void QWebSocket::setOutgoingFrameSize(quint64 outgoingFrameSize)
+{
+    Q_D(QWebSocket);
+    d->setOutgoingFrameSize(outgoingFrameSize);
+}
+
+/*!
+    \since 5.15
+    Returns the maximum size of an outgoing websocket frame.
+
+    \sa setOutgoingFrameSize()
+ */
+quint64 QWebSocket::outgoingFrameSize() const
+{
+    Q_D(const QWebSocket);
+    return d->outgoingFrameSize();
+}
+
+/*!
+    \since 5.15
+    Returns the maximum supported size of an outgoing websocket frame for this websocket
+    implementation.
+ */
+quint64 QWebSocket::maxOutgoingFrameSize()
+{
+    return QWebSocketPrivate::maxOutgoingFrameSize();
+}
+
 QT_END_NAMESPACE
--- a/src/websockets/qwebsocket_p.h
+++ b/src/websockets/qwebsocket_p.h
@@ -160,6 +160,17 @@
     void ping(const QByteArray &payload);
     void setSocketState(QAbstractSocket::SocketState state);
+    void setMaxAllowedIncomingFrameSize(quint64 maxAllowedIncomingFrameSize);
+    quint64 maxAllowedIncomingFrameSize() const;
+    void setMaxAllowedIncomingMessageSize(quint64 maxAllowedIncomingMessageSize);
+    quint64 maxAllowedIncomingMessageSize() const;
+    static quint64 maxIncomingMessageSize();
+    static quint64 maxIncomingFrameSize();
+
+    void setOutgoingFrameSize(quint64 outgoingFrameSize);
+    quint64 outgoingFrameSize() const;
+    static quint64 maxOutgoingFrameSize();
+
 private:
     QWebSocketPrivate(QTcpSocket *pTcpSocket, QWebSocketProtocol::Version version);
     void setVersion(QWebSocketProtocol::Version version);
@@ -250,6 +261,8 @@
     QString m_httpStatusMessage;
     QMultiMap<QString, QString> m_headers;
+    quint64 m_outgoingFrameSize;
+
     friend class QWebSocketServerPrivate;
 #ifdef Q_OS_WASM
     emscripten::val socketContext = emscripten::val::null();
--- a/src/websockets/qwebsocketdataprocessor.cpp
+++ b/src/websockets/qwebsocketdataprocessor.cpp
@@ -105,6 +105,33 @@
     }
 }
+void QWebSocketDataProcessor::setMaxAllowedFrameSize(quint64 maxAllowedFrameSize)
+{
+    frame.setMaxAllowedFrameSize(maxAllowedFrameSize);
+}
+
+quint64 QWebSocketDataProcessor::maxAllowedFrameSize() const
+{
+    return frame.maxAllowedFrameSize();
+}
+
+/*!
+    \internal
+ */
+void QWebSocketDataProcessor::setMaxAllowedMessageSize(quint64 maxAllowedMessageSize)
+{
+    if (maxAllowedMessageSize <= maxMessageSize())
+        m_maxAllowedMessageSize = maxAllowedMessageSize;
+}
+
+/*!
+    \internal
+ */
+quint64 QWebSocketDataProcessor::maxAllowedMessageSize() const
+{
+    return m_maxAllowedMessageSize;
+}
+
 /*!
     \internal
  */
@@ -118,7 +145,7 @@
  */
 quint64 QWebSocketDataProcessor::maxFrameSize()
 {
-    return MAX_FRAME_SIZE_IN_BYTES;
+   return QWebSocketFrame::maxFrameSize();
 }
 /*!
@@ -167,7 +194,7 @@
                         ? quint64(m_textMessage.length())
                         : quint64(m_binaryMessage.length());
                 if (Q_UNLIKELY((messageLength + quint64(frame.payload().length())) >
-                               MAX_MESSAGE_SIZE_IN_BYTES)) {
+                               maxAllowedMessageSize())) {
                     clear();
                     Q_EMIT errorEncountered(QWebSocketProtocol::CloseCodeTooMuchData,
                                             tr("Received message is too big."));
--- a/src/websockets/qwebsocketdataprocessor_p.h
+++ b/src/websockets/qwebsocketdataprocessor_p.h
@@ -65,6 +65,8 @@
 class QIODevice;
 class QWebSocketFrame;
+const quint64 MAX_MESSAGE_SIZE_IN_BYTES = std::numeric_limits<int>::max() - 1;
+
 class Q_AUTOTEST_EXPORT QWebSocketDataProcessor : public QObject
 {
     Q_OBJECT
@@ -74,6 +76,10 @@
     explicit QWebSocketDataProcessor(QObject *parent = nullptr);
     ~QWebSocketDataProcessor() override;
+    void setMaxAllowedFrameSize(quint64 maxAllowedFrameSize);
+    quint64 maxAllowedFrameSize() const;
+    void setMaxAllowedMessageSize(quint64 maxAllowedMessageSize);
+    quint64 maxAllowedMessageSize() const;
     static quint64 maxMessageSize();
     static quint64 maxFrameSize();
@@ -115,6 +121,7 @@
     QTextCodec *m_pTextCodec;
     QWebSocketFrame frame;
     QTimer waitTimer;
+    quint64 m_maxAllowedMessageSize = MAX_MESSAGE_SIZE_IN_BYTES;
     bool processControlFrame(const QWebSocketFrame &frame);
     void timeout();
--- a/src/websockets/qwebsocketframe.cpp
+++ b/src/websockets/qwebsocketframe.cpp
@@ -64,6 +64,31 @@
 /*!
     \internal
  */
+void QWebSocketFrame::setMaxAllowedFrameSize(quint64 maxAllowedFrameSize)
+{
+    if (maxAllowedFrameSize <= maxFrameSize())
+        m_maxAllowedFrameSize = maxAllowedFrameSize;
+}
+
+/*!
+    \internal
+ */
+quint64 QWebSocketFrame::maxAllowedFrameSize() const
+{
+    return m_maxAllowedFrameSize;
+}
+
+/*!
+    \internal
+ */
+quint64 QWebSocketFrame::maxFrameSize()
+{
+    return MAX_FRAME_SIZE_IN_BYTES;
+}
+
+/*!
+    \internal
+ */
 QWebSocketProtocol::CloseCode QWebSocketFrame::closeCode() const
 {
     return isDone() ? m_closeCode : QWebSocketProtocol::CloseCodeGoingAway;
@@ -354,7 +379,7 @@
     if (!m_length)
         return PS_DISPATCH_RESULT;
-    if (Q_UNLIKELY(m_length > MAX_FRAME_SIZE_IN_BYTES)) {
+    if (Q_UNLIKELY(m_length > maxAllowedFrameSize())) {
         setError(QWebSocketProtocol::CloseCodeTooMuchData, tr("Maximum framesize exceeded."));
         return PS_DISPATCH_RESULT;
     }

CVE-2020-0570

问题描述:

Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.

修改情况:

参考社区修改已修补,https://code.qt.io/cgit/qt/qtbase.git/commit/?id=e6f1fde24f77f63fb16b2df239f82a89d2bf05dd

--- a/src/corelib/plugin/qlibrary_unix.cpp
+++ b/src/corelib/plugin/qlibrary_unix.cpp
@@ -1,7 +1,7 @@
 /****************************************************************************
 **
 ** Copyright (C) 2016 The Qt Company Ltd.
-** Copyright (C) 2018 Intel Corporation
+** Copyright (C) 2020 Intel Corporation
 ** Contact: https://www.qt.io/licensing/
 **
 ** This file is part of the QtCore module of the Qt Toolkit.
@@ -218,6 +218,8 @@ bool QLibraryPrivate::load_sys()
         for(int suffix = 0; retry && !pHnd && suffix < suffixes.size(); suffix++) {
             if (!prefixes.at(prefix).isEmpty() && name.startsWith(prefixes.at(prefix)))
                 continue;
+            if (path.isEmpty() && prefixes.at(prefix).contains(QLatin1Char('/')))
+                continue;
             if (!suffixes.at(suffix).isEmpty() && name.endsWith(suffixes.at(suffix)))
                 continue;
             if (loadHints & QLibrary::LoadArchiveMemberHint) {

CVE-2018-19873

问题描述:

An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.

处理情况:

参考社区修改已修补,https://codereview.qt-project.org/c/qt/qtbase/+/238749

--- a/src/gui/image/qbmphandler.cpp
+++ b/src/gui/image/qbmphandler.cpp
@@ -188,6 +188,8 @@
     if (!(comp == BMP_RGB || (nbits == 4 && comp == BMP_RLE4) ||
         (nbits == 8 && comp == BMP_RLE8) || ((nbits == 16 || nbits == 32) && comp == BMP_BITFIELDS)))
          return false;                                // weird compression type
+    if (bi.biWidth < 0 || quint64(bi.biWidth) * qAbs(bi.biHeight) > 16384 * 16384)
+        return false;
     return true;
 }

CVE-2020-24742

问题描述:

An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.

处理情况:

产品包未使用该功能。

CVE-2021-38593

问题描述:

Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).

处理情况:

产品包未使用该功能。

libjpeg-turbo

CVE-2020-13790

问题描述:

libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.

处理情况:

参考社区修改已修补,https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a

 source->rescale = (JSAMPLE *)
      (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
-                                  (size_t)(((long)maxval + 1L) *
+                                  (size_t)(((long)MAX(maxval, 255) + 1L) *
                                           sizeof(JSAMPLE)));
    half_maxval = maxval / 2;
    for (val = 0; val <= (long)maxval; val++) {

CVE-2021-46822

问题描述:

The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This is related to a heap-based buffer overflow in the get_word_rgb_row function in rdppm.c.

处理情况:

参考社区修改已修补,https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f35fd27ec641c42d6b115bfa595e483ec58188d2

@@ -516,6 +516,11 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
  register JSAMPLE *rescale = source->rescale;
  JDIMENSION col;
  unsigned int maxval = source->maxval;
+ register int rindex = rgb_red[cinfo->in_color_space];
+  register int gindex = rgb_green[cinfo->in_color_space];
+  register int bindex = rgb_blue[cinfo->in_color_space];
+  register int aindex = alpha_index[cinfo->in_color_space];
+  register int ps = rgb_pixelsize[cinfo->in_color_space];
  if (!ReadOK(source->pub.input_file, source->iobuffer, source->buffer_width))
    ERREXIT(cinfo, JERR_INPUT_EOF);
@@ -527,17 +532,20 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
    temp |= UCH(*bufferptr++);
    if (temp > maxval)
      ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
-    *ptr++ = rescale[temp];
+    ptr[rindex] = rescale[temp];
    temp  = UCH(*bufferptr++) << 8;
    temp |= UCH(*bufferptr++);
    if (temp > maxval)
      ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
-    *ptr++ = rescale[temp];
+    ptr[gindex] = rescale[temp];
    temp  = UCH(*bufferptr++) << 8;
    temp |= UCH(*bufferptr++);
    if (temp > maxval)
      ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
-    *ptr++ = rescale[temp];
+    ptr[bindex] = rescale[temp];
+    if (aindex >= 0)
+      ptr[aindex] = 0xFF;
+    ptr += ps;
  }
  return 1;
}
@@ -624,7 +632,10 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
      cinfo->in_color_space = JCS_GRAYSCALE;
    TRACEMS2(cinfo, 1, JTRC_PGM, w, h);
    if (maxval > 255) {
-      source->pub.get_pixel_rows = get_word_gray_row;
+      if (cinfo->in_color_space == JCS_GRAYSCALE)
+        source->pub.get_pixel_rows = get_word_gray_row;
+      else
+        ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
    } else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) &&
               cinfo->in_color_space == JCS_GRAYSCALE) {
      source->pub.get_pixel_rows = get_raw_row;
@@ -647,7 +658,10 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
      cinfo->in_color_space = JCS_EXT_RGB;
    TRACEMS2(cinfo, 1, JTRC_PPM, w, h);
    if (maxval > 255) {
-      source->pub.get_pixel_rows = get_word_rgb_row;
+      if (IsExtRGB(cinfo->in_color_space))
+        source->pub.get_pixel_rows = get_word_rgb_row;
+      else
+        ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
    } else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) &&
#if RGB_RED == 0 && RGB_GREEN == 1 && RGB_BLUE == 2 && RGB_PIXELSIZE == 3
               (cinfo->in_color_space == JCS_EXT_RGB ||

flatbuffers

CVE-2020-35864

问题描述:

An issue was discovered in the flatbuffers crate through 2020-04-11 for Rust. read_scalar (and read_scalar_at) can transmute values without unsafe blocks.

处理情况:

误报,flatbuffer 的 rust 读写存在悬垂引用,C/C++ 不存在此情况。

libpng

CVE-2019-17371

问题描述:

gif2png 2.5.13 has a memory leak in the writefile function.

处理情况:

误报,这个漏洞是由于 gif2png 导致,并非 libpng 导致,NVD 以将其更正为 gif2png 问题。可参考:https://github.com/glennrp/libpng/issues/307#issuecomment-544779431