漏洞修改说明 ============ .. _qt-56: qt 5.6 ------ CVE-2015-9541 ~~~~~~~~~~~~~ **问题描述**\ : Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564. **修改情况**\ : 参考社区修改已修补, https://codereview.qt-project.org/c/qt/qtbase/+/293909 .. code:: diff --- a/src/corelib/serialization/qxmlstream_p.h +++ b/src/corelib/serialization/qxmlstream_p.h @@ -774,9 +774,19 @@ QHash entityHash; QHash parameterEntityHash; QXmlStreamSimpleStackentityReferenceStack; + int entityExpansionLimit = 4096; + int entityLength = 0; inline bool referenceEntity(Entity &entity) { if (entity.isCurrentlyReferenced) { - raiseWellFormedError(QXmlStream::tr("Recursive entity detected.")); + raiseWellFormedError(QXmlStream::tr("Self-referencing entity detected.")); + return false; + } + // entityLength represents the amount of additional characters the + // entity expands into (can be negative for e.g. &). It's used to + // avoid DoS attacks through recursive entity expansions + entityLength += entity.value.size() - entity.name.size() - 2; + if (entityLength > entityExpansionLimit) { + raiseWellFormedError(QXmlStream::tr("Entity expands to more characters than the entity expansion limit.")); return false; } entity.isCurrentlyReferenced = true; @@ -1308,6 +1318,8 @@ case 10: entityReferenceStack.pop()->isCurrentlyReferenced = false; + if (entityReferenceStack.isEmpty()) + entityLength = 0; clearSym(); break; CVE-2020-17507 ~~~~~~~~~~~~~~ **问题描述:** An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read. **修改情况:** 误报,超图使用的是qt5.6版本,不在报告的版本范围。 CVE-2017-15011 ~~~~~~~~~~~~~~ **问题描述:** The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string. **修改情况:** 误报,产品包中并没有用到\ `qbittorrent `__ 库 CVE-2018-19871 ~~~~~~~~~~~~~~ **问题描述**\ : An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption. **修改情况:** 参考社区修改已修补,\ https://codereview.qt-project.org/c/qt/qtimageformats/+/237761 .. code:: diff --- a/src/plugins/imageformats/tga/qtgafile.cpp +++ b/src/plugins/imageformats/tga/qtgafile.cpp @@ -163,6 +163,12 @@ if (!validDepth) { mErrorMessage = tr("Image depth not valid"); + return; + } + if (quint64(width()) * quint64(height()) > (8192 * 8192)) + { + mErrorMessage = tr("Image size exceeds limit"); + return; } int curPos = mDevice->pos(); int fileBytes = mDevice->size(); @@ -233,6 +239,8 @@ unsigned char yCorner = desc & 0x20; // 0 = lower, 1 = upper QImage im(imageWidth, imageHeight, QImage::Format_ARGB32); + if (im.isNull()) + return QImage(); TgaReader *reader = 0; if (bitsPerPixel == 16) reader = new Tga16Reader(); CVE-2018-19869 ~~~~~~~~~~~~~~ **问题描述:** An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp. **修改情况:** 参考社区修改已修补,\ https://codereview.qt-project.org/c/qt/qtsvg/+/234142 .. code:: diff --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -774,16 +774,17 @@ static QString idFromUrl(const QString &url) { QString::const_iterator itr = url.constBegin(); - while ((*itr).isSpace()) + QString::const_iterator end = url.constEnd(); + while (itr != end && (*itr).isSpace()) ++itr; - if ((*itr) == QLatin1Char('(')) + if (itr != end && (*itr) == QLatin1Char('(')) ++itr; - while ((*itr).isSpace()) + while (itr != end && (*itr).isSpace()) ++itr; - if ((*itr) == QLatin1Char('#')) + if (itr != end && (*itr) == QLatin1Char('#')) ++itr; QString id; - while ((*itr) != QLatin1Char(')')) { + while (itr != end && (*itr) != QLatin1Char(')')) { id += *itr; ++itr; } CVE-2018-15518 ~~~~~~~~~~~~~~ **问题描述:** QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document. **修改情况:** 参考社区修改已修补,\ https://codereview.qt-project.org/c/qt/qtbase/+/236691 .. code:: diff --- a/src/corelib/serialization/qxmlstream_p.h +++ b/src/corelib/serialization/qxmlstream_p.h @@ -1250,7 +1250,7 @@ state_stack[tos] = 0; return true; } else if (act > 0) { - if (++tos == stack_size-1) + if (++tos >= stack_size-1) reallocateStack(); Value &val = sym_stack[tos]; CVE-2017-10905 ~~~~~~~~~~~~~~ **问题描述:** A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors. **修改情况:** 误报,为qt android版本出现的问题,pc版本无 CVE-2017-10904 ~~~~~~~~~~~~~~ **问题描述:** Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors. **修改情况:** 参考社区修改已修补, https://www.qt.io/blog/2017/11/22/security-advisory-qt-android CVE-2018-19870 ~~~~~~~~~~~~~~ **问题描述:** An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault. **修改情况:** 参考社区修改已修补, https://codereview.qt-project.org/c/qt/qtbase/+/235998 .. code:: diff --- a/src/plugins/imageformats/gif/qgifhandler.cpp +++ b/src/plugins/imageformats/gif/qgifhandler.cpp @@ -354,7 +354,8 @@ (*image) = QImage(swidth, sheight, format); bpl = image->bytesPerLine(); bits = image->bits(); - memset(bits, 0, image->sizeInBytes()); + if (bits) + memset(bits, 0, image->sizeInBytes()); } // Check if the previous attempt to create the image failed. If it @@ -415,6 +416,10 @@ backingstore = QImage(qMax(backingstore.width(), w), qMax(backingstore.height(), h), QImage::Format_RGB32); + if (backingstore.isNull()) { + state = Error; + return -1; + } memset(backingstore.bits(), 0, backingstore.sizeInBytes()); } const int dest_bpl = backingstore.bytesPerLine(); CVE-2018-21035 ~~~~~~~~~~~~~~ **问题描述:** In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption). **修改情况:** 参考社区修改已修补, https://codereview.qt-project.org/c/qt/qtwebsockets/+/284735 .. code:: diff --- a/src/websockets/qwebsocket.h +++ b/src/websockets/qwebsocket.h @@ -115,6 +115,17 @@ qint64 bytesToWrite() const; + void setMaxAllowedIncomingFrameSize(quint64 maxAllowedIncomingFrameSize); + quint64 maxAllowedIncomingFrameSize() const; + void setMaxAllowedIncomingMessageSize(quint64 maxAllowedIncomingMessageSize); + quint64 maxAllowedIncomingMessageSize() const; + static quint64 maxIncomingMessageSize(); + static quint64 maxIncomingFrameSize(); + + void setOutgoingFrameSize(quint64 outgoingFrameSize); + quint64 outgoingFrameSize() const; + static quint64 maxOutgoingFrameSize(); + public Q_SLOTS: void close(QWebSocketProtocol::CloseCode closeCode = QWebSocketProtocol::CloseCodeNormal, const QString &reason = QString()); .. code:: diff --- a/src/websockets/qwebsocket.cpp +++ b/src/websockets/qwebsocket.cpp @@ -788,4 +788,115 @@ return d->m_pSocket ? d->m_pSocket->bytesToWrite() : 0; } +/*! + \since 5.15 + Sets the maximum allowed size of an incoming websocket frame to \a maxAllowedIncomingFrameSize. + If an incoming frame exceeds this limit, the peer gets disconnected. + The accepted range is between 0 and maxIncomingFrameSize(), default is maxIncomingFrameSize(). + The purpose of this function is to avoid exhausting virtual memory. + + \sa maxAllowedIncomingFrameSize() + */ +void QWebSocket::setMaxAllowedIncomingFrameSize(quint64 maxAllowedIncomingFrameSize) +{ + Q_D(QWebSocket); + d->setMaxAllowedIncomingFrameSize(maxAllowedIncomingFrameSize); +} + +/*! + \since 5.15 + Returns the maximum allowed size of an incoming websocket frame. + + \sa setMaxAllowedIncomingFrameSize() + */ +quint64 QWebSocket::maxAllowedIncomingFrameSize() const +{ + Q_D(const QWebSocket); + return d->maxAllowedIncomingFrameSize(); +} + +/*! + \since 5.15 + Sets the maximum allowed size of an incoming websocket message to \a maxAllowedIncomingMessageSize. + If an incoming message exceeds this limit, the peer gets disconnected. + The accepted range is between 0 and maxIncomingMessageSize(), default is maxIncomingMessageSize(). + The purpose of this function is to avoid exhausting virtual memory. + + \sa maxAllowedIncomingMessageSize() + */ +void QWebSocket::setMaxAllowedIncomingMessageSize(quint64 maxAllowedIncomingMessageSize) +{ + Q_D(QWebSocket); + d->setMaxAllowedIncomingMessageSize(maxAllowedIncomingMessageSize); +} + +/*! + \since 5.15 + Returns the maximum allowed size of an incoming websocket message. + + \sa setMaxAllowedIncomingMessageSize() + */ +quint64 QWebSocket::maxAllowedIncomingMessageSize() const +{ + Q_D(const QWebSocket); + return d->maxAllowedIncomingMessageSize(); +} + +/*! + \since 5.15 + Returns the maximum supported size of an incoming websocket message for this websocket + implementation. + */ +quint64 QWebSocket::maxIncomingMessageSize() +{ + return QWebSocketPrivate::maxIncomingMessageSize(); +} + +/*! + \since 5.15 + Returns the maximum supported size of an incoming websocket frame for this websocket + implementation. + */ +quint64 QWebSocket::maxIncomingFrameSize() +{ + return QWebSocketPrivate::maxIncomingFrameSize(); +} + +/*! + \since 5.15 + Sets the maximum size of an outgoing websocket frame to \a outgoingFrameSize. + The accepted range is between 0 and maxOutgoingFrameSize(), default is 512kB. + The purpose of this function is to adapt to the maximum allowed frame size + of the receiver. + + \sa outgoingFrameSize() + */ +void QWebSocket::setOutgoingFrameSize(quint64 outgoingFrameSize) +{ + Q_D(QWebSocket); + d->setOutgoingFrameSize(outgoingFrameSize); +} + +/*! + \since 5.15 + Returns the maximum size of an outgoing websocket frame. + + \sa setOutgoingFrameSize() + */ +quint64 QWebSocket::outgoingFrameSize() const +{ + Q_D(const QWebSocket); + return d->outgoingFrameSize(); +} + +/*! + \since 5.15 + Returns the maximum supported size of an outgoing websocket frame for this websocket + implementation. + */ +quint64 QWebSocket::maxOutgoingFrameSize() +{ + return QWebSocketPrivate::maxOutgoingFrameSize(); +} + QT_END_NAMESPACE .. code:: diff --- a/src/websockets/qwebsocket_p.h +++ b/src/websockets/qwebsocket_p.h @@ -160,6 +160,17 @@ void ping(const QByteArray &payload); void setSocketState(QAbstractSocket::SocketState state); + void setMaxAllowedIncomingFrameSize(quint64 maxAllowedIncomingFrameSize); + quint64 maxAllowedIncomingFrameSize() const; + void setMaxAllowedIncomingMessageSize(quint64 maxAllowedIncomingMessageSize); + quint64 maxAllowedIncomingMessageSize() const; + static quint64 maxIncomingMessageSize(); + static quint64 maxIncomingFrameSize(); + + void setOutgoingFrameSize(quint64 outgoingFrameSize); + quint64 outgoingFrameSize() const; + static quint64 maxOutgoingFrameSize(); + private: QWebSocketPrivate(QTcpSocket *pTcpSocket, QWebSocketProtocol::Version version); void setVersion(QWebSocketProtocol::Version version); @@ -250,6 +261,8 @@ QString m_httpStatusMessage; QMultiMap m_headers; + quint64 m_outgoingFrameSize; + friend class QWebSocketServerPrivate; #ifdef Q_OS_WASM emscripten::val socketContext = emscripten::val::null(); .. code:: diff --- a/src/websockets/qwebsocket_p.cpp +++ b/src/websockets/qwebsocket_p.cpp @@ -69,7 +69,8 @@ QT_BEGIN_NAMESPACE -const quint64 FRAME_SIZE_IN_BYTES = 512 * 512 * 2; //maximum size of a frame when sending a message +const quint64 MAX_OUTGOING_FRAME_SIZE_IN_BYTES = std::numeric_limits::max() - 1; +const quint64 DEFAULT_OUTGOING_FRAME_SIZE_IN_BYTES = 512 * 512 * 2; //default size of a frame when sending a message QWebSocketConfiguration::QWebSocketConfiguration() : #ifndef QT_NO_SSL @@ -111,7 +112,8 @@ m_configuration(), m_pMaskGenerator(&m_defaultMaskGenerator), m_defaultMaskGenerator(), - m_handshakeState(NothingDoneState) + m_handshakeState(NothingDoneState), + m_outgoingFrameSize(DEFAULT_OUTGOING_FRAME_SIZE_IN_BYTES) { m_pingTimer.start(); } @@ -143,7 +145,8 @@ m_configuration(), m_pMaskGenerator(&m_defaultMaskGenerator), m_defaultMaskGenerator(), - m_handshakeState(NothingDoneState) + m_handshakeState(NothingDoneState), + m_outgoingFrameSize(DEFAULT_OUTGOING_FRAME_SIZE_IN_BYTES) { m_pingTimer.start(); } @@ -776,11 +779,11 @@ const QWebSocketProtocol::OpCode firstOpCode = isBinary ? QWebSocketProtocol::OpCodeBinary : QWebSocketProtocol::OpCodeText; - int numFrames = data.size() / int(FRAME_SIZE_IN_BYTES); + int numFrames = data.size() / int(outgoingFrameSize()); QByteArray tmpData(data); tmpData.detach(); char *payload = tmpData.data(); - quint64 sizeLeft = quint64(data.size()) % FRAME_SIZE_IN_BYTES; + quint64 sizeLeft = quint64(data.size()) % outgoingFrameSize(); if (Q_LIKELY(sizeLeft)) ++numFrames; @@ -799,7 +802,7 @@ const bool isLastFrame = (i == (numFrames - 1)); const bool isFirstFrame = (i == 0); - const quint64 size = qMin(bytesLeft, FRAME_SIZE_IN_BYTES); + const quint64 size = qMin(bytesLeft, outgoingFrameSize()); const QWebSocketProtocol::OpCode opcode = isFirstFrame ? firstOpCode : QWebSocketProtocol::OpCodeContinue; @@ -1307,6 +1310,80 @@ /*! \internal */ +void QWebSocketPrivate::setMaxAllowedIncomingFrameSize(quint64 maxAllowedIncomingFrameSize) +{ + m_dataProcessor.setMaxAllowedFrameSize(maxAllowedIncomingFrameSize); +} + +/*! + \internal + */ +quint64 QWebSocketPrivate::maxAllowedIncomingFrameSize() const +{ + return m_dataProcessor.maxAllowedFrameSize(); +} + +/*! + \internal + */ +void QWebSocketPrivate::setMaxAllowedIncomingMessageSize(quint64 maxAllowedIncomingMessageSize) +{ + m_dataProcessor.setMaxAllowedMessageSize(maxAllowedIncomingMessageSize); +} + +/*! + \internal + */ +quint64 QWebSocketPrivate::maxAllowedIncomingMessageSize() const +{ + return m_dataProcessor.maxAllowedMessageSize(); +} + +/*! + \internal + */ +quint64 QWebSocketPrivate::maxIncomingMessageSize() +{ + return QWebSocketDataProcessor::maxMessageSize(); +} + +/*! + \internal + */ +quint64 QWebSocketPrivate::maxIncomingFrameSize() +{ + return QWebSocketDataProcessor::maxFrameSize(); +} + +/*! + \internal + */ +void QWebSocketPrivate::setOutgoingFrameSize(quint64 outgoingFrameSize) +{ + if (outgoingFrameSize <= maxOutgoingFrameSize()) + m_outgoingFrameSize = outgoingFrameSize; +} + +/*! + \internal + */ +quint64 QWebSocketPrivate::outgoingFrameSize() const +{ + return m_outgoingFrameSize; +} + +/*! + \internal + */ +quint64 QWebSocketPrivate::maxOutgoingFrameSize() +{ + return MAX_OUTGOING_FRAME_SIZE_IN_BYTES; +} + + +/*! + \internal + */ void QWebSocketPrivate::setErrorString(const QString &errorString) { if (m_errorString != errorString) .. code:: diff --- a/src/websockets/qwebsocketdataprocessor.cpp +++ b/src/websockets/qwebsocketdataprocessor.cpp @@ -105,6 +105,33 @@ } } +void QWebSocketDataProcessor::setMaxAllowedFrameSize(quint64 maxAllowedFrameSize) +{ + frame.setMaxAllowedFrameSize(maxAllowedFrameSize); +} + +quint64 QWebSocketDataProcessor::maxAllowedFrameSize() const +{ + return frame.maxAllowedFrameSize(); +} + +/*! + \internal + */ +void QWebSocketDataProcessor::setMaxAllowedMessageSize(quint64 maxAllowedMessageSize) +{ + if (maxAllowedMessageSize <= maxMessageSize()) + m_maxAllowedMessageSize = maxAllowedMessageSize; +} + +/*! + \internal + */ +quint64 QWebSocketDataProcessor::maxAllowedMessageSize() const +{ + return m_maxAllowedMessageSize; +} + /*! \internal */ @@ -118,7 +145,7 @@ */ quint64 QWebSocketDataProcessor::maxFrameSize() { - return MAX_FRAME_SIZE_IN_BYTES; + return QWebSocketFrame::maxFrameSize(); } /*! @@ -167,7 +194,7 @@ ? quint64(m_textMessage.length()) : quint64(m_binaryMessage.length()); if (Q_UNLIKELY((messageLength + quint64(frame.payload().length())) > - MAX_MESSAGE_SIZE_IN_BYTES)) { + maxAllowedMessageSize())) { clear(); Q_EMIT errorEncountered(QWebSocketProtocol::CloseCodeTooMuchData, tr("Received message is too big.")); .. code:: diff --- a/src/websockets/qwebsocketdataprocessor_p.h +++ b/src/websockets/qwebsocketdataprocessor_p.h @@ -65,6 +65,8 @@ class QIODevice; class QWebSocketFrame; +const quint64 MAX_MESSAGE_SIZE_IN_BYTES = std::numeric_limits::max() - 1; + class Q_AUTOTEST_EXPORT QWebSocketDataProcessor : public QObject { Q_OBJECT @@ -74,6 +76,10 @@ explicit QWebSocketDataProcessor(QObject *parent = nullptr); ~QWebSocketDataProcessor() override; + void setMaxAllowedFrameSize(quint64 maxAllowedFrameSize); + quint64 maxAllowedFrameSize() const; + void setMaxAllowedMessageSize(quint64 maxAllowedMessageSize); + quint64 maxAllowedMessageSize() const; static quint64 maxMessageSize(); static quint64 maxFrameSize(); @@ -115,6 +121,7 @@ QTextCodec *m_pTextCodec; QWebSocketFrame frame; QTimer waitTimer; + quint64 m_maxAllowedMessageSize = MAX_MESSAGE_SIZE_IN_BYTES; bool processControlFrame(const QWebSocketFrame &frame); void timeout(); .. code:: diff --- a/src/websockets/qwebsocketframe.cpp +++ b/src/websockets/qwebsocketframe.cpp @@ -64,6 +64,31 @@ /*! \internal */ +void QWebSocketFrame::setMaxAllowedFrameSize(quint64 maxAllowedFrameSize) +{ + if (maxAllowedFrameSize <= maxFrameSize()) + m_maxAllowedFrameSize = maxAllowedFrameSize; +} + +/*! + \internal + */ +quint64 QWebSocketFrame::maxAllowedFrameSize() const +{ + return m_maxAllowedFrameSize; +} + +/*! + \internal + */ +quint64 QWebSocketFrame::maxFrameSize() +{ + return MAX_FRAME_SIZE_IN_BYTES; +} + +/*! + \internal + */ QWebSocketProtocol::CloseCode QWebSocketFrame::closeCode() const { return isDone() ? m_closeCode : QWebSocketProtocol::CloseCodeGoingAway; @@ -354,7 +379,7 @@ if (!m_length) return PS_DISPATCH_RESULT; - if (Q_UNLIKELY(m_length > MAX_FRAME_SIZE_IN_BYTES)) { + if (Q_UNLIKELY(m_length > maxAllowedFrameSize())) { setError(QWebSocketProtocol::CloseCodeTooMuchData, tr("Maximum framesize exceeded.")); return PS_DISPATCH_RESULT; } .. code:: diff --- a/src/websockets/qwebsocketframe_p.h +++ b/src/websockets/qwebsocketframe_p.h @@ -65,7 +65,6 @@ class QIODevice; const quint64 MAX_FRAME_SIZE_IN_BYTES = std::numeric_limits::max() - 1; -const quint64 MAX_MESSAGE_SIZE_IN_BYTES = std::numeric_limits::max() - 1; class Q_AUTOTEST_EXPORT QWebSocketFrame { @@ -74,6 +73,10 @@ public: QWebSocketFrame() = default; + void setMaxAllowedFrameSize(quint64 maxAllowedFrameSize); + quint64 maxAllowedFrameSize() const; + static quint64 maxFrameSize(); + QWebSocketProtocol::CloseCode closeCode() const; QString closeReason() const; bool isFinalFrame() const; @@ -118,6 +121,7 @@ bool m_rsv2 = false; bool m_rsv3 = false; bool m_isValid = false; + quint64 m_maxAllowedFrameSize = MAX_FRAME_SIZE_IN_BYTES; ProcessingState readFrameHeader(QIODevice *pIoDevice); ProcessingState readFramePayloadLength(QIODevice *pIoDevice); CVE-2020-0570 ~~~~~~~~~~~~~ **问题描述:** Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access. **修改情况:** 参考社区修改已修补,\ https://code.qt.io/cgit/qt/qtbase.git/commit/?id=e6f1fde24f77f63fb16b2df239f82a89d2bf05dd .. code:: diff --- a/src/corelib/plugin/qlibrary_unix.cpp +++ b/src/corelib/plugin/qlibrary_unix.cpp @@ -1,7 +1,7 @@ /**************************************************************************** ** ** Copyright (C) 2016 The Qt Company Ltd. -** Copyright (C) 2018 Intel Corporation +** Copyright (C) 2020 Intel Corporation ** Contact: https://www.qt.io/licensing/ ** ** This file is part of the QtCore module of the Qt Toolkit. @@ -218,6 +218,8 @@ bool QLibraryPrivate::load_sys() for(int suffix = 0; retry && !pHnd && suffix < suffixes.size(); suffix++) { if (!prefixes.at(prefix).isEmpty() && name.startsWith(prefixes.at(prefix))) continue; + if (path.isEmpty() && prefixes.at(prefix).contains(QLatin1Char('/'))) + continue; if (!suffixes.at(suffix).isEmpty() && name.endsWith(suffixes.at(suffix))) continue; if (loadHints & QLibrary::LoadArchiveMemberHint) { CVE-2018-19873 ~~~~~~~~~~~~~~ **问题描述:** An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data. **处理情况:** 参考社区修改已修补,\ https://codereview.qt-project.org/c/qt/qtbase/+/238749 .. code:: diff --- a/src/gui/image/qbmphandler.cpp +++ b/src/gui/image/qbmphandler.cpp @@ -188,6 +188,8 @@ if (!(comp == BMP_RGB || (nbits == 4 && comp == BMP_RLE4) || (nbits == 8 && comp == BMP_RLE8) || ((nbits == 16 || nbits == 32) && comp == BMP_BITFIELDS))) return false; // weird compression type + if (bi.biWidth < 0 || quint64(bi.biWidth) * qAbs(bi.biHeight) > 16384 * 16384) + return false; return true; } CVE-2020-24742 ~~~~~~~~~~~~~~ **问题描述:** An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files. **处理情况:** 产品包未使用该功能。 CVE-2021-38593 ~~~~~~~~~~~~~~ **问题描述:** Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke). **处理情况:** 产品包未使用该功能。 libjpeg-turbo ------------- CVE-2020-13790 ~~~~~~~~~~~~~~ **问题描述:** libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file. **处理情况:** 参考社区修改已修补,\ https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a .. code:: diff source->rescale = (JSAMPLE *) (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE, - (size_t)(((long)maxval + 1L) * + (size_t)(((long)MAX(maxval, 255) + 1L) * sizeof(JSAMPLE))); half_maxval = maxval / 2; for (val = 0; val <= (long)maxval; val++) { CVE-2021-46822 ~~~~~~~~~~~~~~ **问题描述:** The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This is related to a heap-based buffer overflow in the get_word_rgb_row function in rdppm.c. **处理情况:** 参考社区修改已修补,\ https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f35fd27ec641c42d6b115bfa595e483ec58188d2 .. code:: diff @@ -516,6 +516,11 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) register JSAMPLE *rescale = source->rescale; JDIMENSION col; unsigned int maxval = source->maxval; + register int rindex = rgb_red[cinfo->in_color_space]; + register int gindex = rgb_green[cinfo->in_color_space]; + register int bindex = rgb_blue[cinfo->in_color_space]; + register int aindex = alpha_index[cinfo->in_color_space]; + register int ps = rgb_pixelsize[cinfo->in_color_space]; if (!ReadOK(source->pub.input_file, source->iobuffer, source->buffer_width)) ERREXIT(cinfo, JERR_INPUT_EOF); @@ -527,17 +532,20 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) temp |= UCH(*bufferptr++); if (temp > maxval) ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); - *ptr++ = rescale[temp]; + ptr[rindex] = rescale[temp]; temp = UCH(*bufferptr++) << 8; temp |= UCH(*bufferptr++); if (temp > maxval) ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); - *ptr++ = rescale[temp]; + ptr[gindex] = rescale[temp]; temp = UCH(*bufferptr++) << 8; temp |= UCH(*bufferptr++); if (temp > maxval) ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); - *ptr++ = rescale[temp]; + ptr[bindex] = rescale[temp]; + if (aindex >= 0) + ptr[aindex] = 0xFF; + ptr += ps; } return 1; } @@ -624,7 +632,10 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) cinfo->in_color_space = JCS_GRAYSCALE; TRACEMS2(cinfo, 1, JTRC_PGM, w, h); if (maxval > 255) { - source->pub.get_pixel_rows = get_word_gray_row; + if (cinfo->in_color_space == JCS_GRAYSCALE) + source->pub.get_pixel_rows = get_word_gray_row; + else + ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE); } else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) && cinfo->in_color_space == JCS_GRAYSCALE) { source->pub.get_pixel_rows = get_raw_row; @@ -647,7 +658,10 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) cinfo->in_color_space = JCS_EXT_RGB; TRACEMS2(cinfo, 1, JTRC_PPM, w, h); if (maxval > 255) { - source->pub.get_pixel_rows = get_word_rgb_row; + if (IsExtRGB(cinfo->in_color_space)) + source->pub.get_pixel_rows = get_word_rgb_row; + else + ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE); } else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) && #if RGB_RED == 0 && RGB_GREEN == 1 && RGB_BLUE == 2 && RGB_PIXELSIZE == 3 (cinfo->in_color_space == JCS_EXT_RGB || flatbuffers ----------- CVE-2020-35864 ~~~~~~~~~~~~~~ **问题描述:** An issue was discovered in the flatbuffers crate through 2020-04-11 for Rust. read_scalar (and read_scalar_at) can transmute values without unsafe blocks. **处理情况:** 误报,flatbuffer 的 rust 读写存在悬垂引用,C/C++ 不存在此情况。 libpng ------ CVE-2019-17371 ~~~~~~~~~~~~~~ **问题描述:** gif2png 2.5.13 has a memory leak in the writefile function. **处理情况:** 误报,这个漏洞是由于 gif2png 导致,并非 libpng 导致,NVD 以将其更正为 gif2png 问题。可参考:\ https://github.com/glennrp/libpng/issues/307#issuecomment-544779431