漏洞修改说明
qt 5.6
CVE-2015-9541
问题描述:
Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.
修改情况:
参考社区修改已修补, https://codereview.qt-project.org/c/qt/qtbase/+/293909
--- a/src/corelib/serialization/qxmlstream_p.h
+++ b/src/corelib/serialization/qxmlstream_p.h
@@ -774,9 +774,19 @@
QHash<QStringView, Entity> entityHash;
QHash<QStringView, Entity> parameterEntityHash;
QXmlStreamSimpleStack<Entity *>entityReferenceStack;
+ int entityExpansionLimit = 4096;
+ int entityLength = 0;
inline bool referenceEntity(Entity &entity) {
if (entity.isCurrentlyReferenced) {
- raiseWellFormedError(QXmlStream::tr("Recursive entity detected."));
+ raiseWellFormedError(QXmlStream::tr("Self-referencing entity detected."));
+ return false;
+ }
+ // entityLength represents the amount of additional characters the
+ // entity expands into (can be negative for e.g. &). It's used to
+ // avoid DoS attacks through recursive entity expansions
+ entityLength += entity.value.size() - entity.name.size() - 2;
+ if (entityLength > entityExpansionLimit) {
+ raiseWellFormedError(QXmlStream::tr("Entity expands to more characters than the entity expansion limit."));
return false;
}
entity.isCurrentlyReferenced = true;
@@ -1308,6 +1318,8 @@
case 10:
entityReferenceStack.pop()->isCurrentlyReferenced = false;
+ if (entityReferenceStack.isEmpty())
+ entityLength = 0;
clearSym();
break;
CVE-2020-17507
问题描述:
An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.
修改情况:
误报,超图使用的是qt5.6版本,不在报告的版本范围。
CVE-2017-15011
问题描述:
The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.
修改情况:
误报,产品包中并没有用到qbittorrent 库
CVE-2018-19871
问题描述:
An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.
修改情况:
参考社区修改已修补,https://codereview.qt-project.org/c/qt/qtimageformats/+/237761
--- a/src/plugins/imageformats/tga/qtgafile.cpp
+++ b/src/plugins/imageformats/tga/qtgafile.cpp
@@ -163,6 +163,12 @@
if (!validDepth)
{
mErrorMessage = tr("Image depth not valid");
+ return;
+ }
+ if (quint64(width()) * quint64(height()) > (8192 * 8192))
+ {
+ mErrorMessage = tr("Image size exceeds limit");
+ return;
}
int curPos = mDevice->pos();
int fileBytes = mDevice->size();
@@ -233,6 +239,8 @@
unsigned char yCorner = desc & 0x20; // 0 = lower, 1 = upper
QImage im(imageWidth, imageHeight, QImage::Format_ARGB32);
+ if (im.isNull())
+ return QImage();
TgaReader *reader = 0;
if (bitsPerPixel == 16)
reader = new Tga16Reader();
CVE-2018-19869
问题描述:
An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.
修改情况:
参考社区修改已修补,https://codereview.qt-project.org/c/qt/qtsvg/+/234142
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -774,16 +774,17 @@
static QString idFromUrl(const QString &url)
{
QString::const_iterator itr = url.constBegin();
- while ((*itr).isSpace())
+ QString::const_iterator end = url.constEnd();
+ while (itr != end && (*itr).isSpace())
++itr;
- if ((*itr) == QLatin1Char('('))
+ if (itr != end && (*itr) == QLatin1Char('('))
++itr;
- while ((*itr).isSpace())
+ while (itr != end && (*itr).isSpace())
++itr;
- if ((*itr) == QLatin1Char('#'))
+ if (itr != end && (*itr) == QLatin1Char('#'))
++itr;
QString id;
- while ((*itr) != QLatin1Char(')')) {
+ while (itr != end && (*itr) != QLatin1Char(')')) {
id += *itr;
++itr;
}
CVE-2018-15518
问题描述:
QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.
修改情况:
参考社区修改已修补,https://codereview.qt-project.org/c/qt/qtbase/+/236691
CVE-2017-10905
问题描述:
A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.
修改情况:
误报,为qt android版本出现的问题,pc版本无
CVE-2017-10904
问题描述:
Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.
修改情况:
参考社区修改已修补, https://www.qt.io/blog/2017/11/22/security-advisory-qt-android
CVE-2018-19870
问题描述:
An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.
修改情况:
参考社区修改已修补, https://codereview.qt-project.org/c/qt/qtbase/+/235998
--- a/src/plugins/imageformats/gif/qgifhandler.cpp
+++ b/src/plugins/imageformats/gif/qgifhandler.cpp
@@ -354,7 +354,8 @@
(*image) = QImage(swidth, sheight, format);
bpl = image->bytesPerLine();
bits = image->bits();
- memset(bits, 0, image->sizeInBytes());
+ if (bits)
+ memset(bits, 0, image->sizeInBytes());
}
// Check if the previous attempt to create the image failed. If it
@@ -415,6 +416,10 @@
backingstore = QImage(qMax(backingstore.width(), w),
qMax(backingstore.height(), h),
QImage::Format_RGB32);
+ if (backingstore.isNull()) {
+ state = Error;
+ return -1;
+ }
memset(backingstore.bits(), 0, backingstore.sizeInBytes());
}
const int dest_bpl = backingstore.bytesPerLine();
CVE-2018-21035
问题描述:
In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).
修改情况:
参考社区修改已修补, https://codereview.qt-project.org/c/qt/qtwebsockets/+/284735
--- a/src/websockets/qwebsocket.h
+++ b/src/websockets/qwebsocket.h
@@ -115,6 +115,17 @@
qint64 bytesToWrite() const;
+ void setMaxAllowedIncomingFrameSize(quint64 maxAllowedIncomingFrameSize);
+ quint64 maxAllowedIncomingFrameSize() const;
+ void setMaxAllowedIncomingMessageSize(quint64 maxAllowedIncomingMessageSize);
+ quint64 maxAllowedIncomingMessageSize() const;
+ static quint64 maxIncomingMessageSize();
+ static quint64 maxIncomingFrameSize();
+
+ void setOutgoingFrameSize(quint64 outgoingFrameSize);
+ quint64 outgoingFrameSize() const;
+ static quint64 maxOutgoingFrameSize();
+
public Q_SLOTS:
void close(QWebSocketProtocol::CloseCode closeCode = QWebSocketProtocol::CloseCodeNormal,
const QString &reason = QString());
--- a/src/websockets/qwebsocket.cpp
+++ b/src/websockets/qwebsocket.cpp
@@ -788,4 +788,115 @@
return d->m_pSocket ? d->m_pSocket->bytesToWrite() : 0;
}
+/*!
+ \since 5.15
+ Sets the maximum allowed size of an incoming websocket frame to \a maxAllowedIncomingFrameSize.
+ If an incoming frame exceeds this limit, the peer gets disconnected.
+ The accepted range is between 0 and maxIncomingFrameSize(), default is maxIncomingFrameSize().
+ The purpose of this function is to avoid exhausting virtual memory.
+
+ \sa maxAllowedIncomingFrameSize()
+ */
+void QWebSocket::setMaxAllowedIncomingFrameSize(quint64 maxAllowedIncomingFrameSize)
+{
+ Q_D(QWebSocket);
+ d->setMaxAllowedIncomingFrameSize(maxAllowedIncomingFrameSize);
+}
+
+/*!
+ \since 5.15
+ Returns the maximum allowed size of an incoming websocket frame.
+
+ \sa setMaxAllowedIncomingFrameSize()
+ */
+quint64 QWebSocket::maxAllowedIncomingFrameSize() const
+{
+ Q_D(const QWebSocket);
+ return d->maxAllowedIncomingFrameSize();
+}
+
+/*!
+ \since 5.15
+ Sets the maximum allowed size of an incoming websocket message to \a maxAllowedIncomingMessageSize.
+ If an incoming message exceeds this limit, the peer gets disconnected.
+ The accepted range is between 0 and maxIncomingMessageSize(), default is maxIncomingMessageSize().
+ The purpose of this function is to avoid exhausting virtual memory.
+
+ \sa maxAllowedIncomingMessageSize()
+ */
+void QWebSocket::setMaxAllowedIncomingMessageSize(quint64 maxAllowedIncomingMessageSize)
+{
+ Q_D(QWebSocket);
+ d->setMaxAllowedIncomingMessageSize(maxAllowedIncomingMessageSize);
+}
+
+/*!
+ \since 5.15
+ Returns the maximum allowed size of an incoming websocket message.
+
+ \sa setMaxAllowedIncomingMessageSize()
+ */
+quint64 QWebSocket::maxAllowedIncomingMessageSize() const
+{
+ Q_D(const QWebSocket);
+ return d->maxAllowedIncomingMessageSize();
+}
+
+/*!
+ \since 5.15
+ Returns the maximum supported size of an incoming websocket message for this websocket
+ implementation.
+ */
+quint64 QWebSocket::maxIncomingMessageSize()
+{
+ return QWebSocketPrivate::maxIncomingMessageSize();
+}
+
+/*!
+ \since 5.15
+ Returns the maximum supported size of an incoming websocket frame for this websocket
+ implementation.
+ */
+quint64 QWebSocket::maxIncomingFrameSize()
+{
+ return QWebSocketPrivate::maxIncomingFrameSize();
+}
+
+/*!
+ \since 5.15
+ Sets the maximum size of an outgoing websocket frame to \a outgoingFrameSize.
+ The accepted range is between 0 and maxOutgoingFrameSize(), default is 512kB.
+ The purpose of this function is to adapt to the maximum allowed frame size
+ of the receiver.
+
+ \sa outgoingFrameSize()
+ */
+void QWebSocket::setOutgoingFrameSize(quint64 outgoingFrameSize)
+{
+ Q_D(QWebSocket);
+ d->setOutgoingFrameSize(outgoingFrameSize);
+}
+
+/*!
+ \since 5.15
+ Returns the maximum size of an outgoing websocket frame.
+
+ \sa setOutgoingFrameSize()
+ */
+quint64 QWebSocket::outgoingFrameSize() const
+{
+ Q_D(const QWebSocket);
+ return d->outgoingFrameSize();
+}
+
+/*!
+ \since 5.15
+ Returns the maximum supported size of an outgoing websocket frame for this websocket
+ implementation.
+ */
+quint64 QWebSocket::maxOutgoingFrameSize()
+{
+ return QWebSocketPrivate::maxOutgoingFrameSize();
+}
+
QT_END_NAMESPACE
--- a/src/websockets/qwebsocket_p.h
+++ b/src/websockets/qwebsocket_p.h
@@ -160,6 +160,17 @@
void ping(const QByteArray &payload);
void setSocketState(QAbstractSocket::SocketState state);
+ void setMaxAllowedIncomingFrameSize(quint64 maxAllowedIncomingFrameSize);
+ quint64 maxAllowedIncomingFrameSize() const;
+ void setMaxAllowedIncomingMessageSize(quint64 maxAllowedIncomingMessageSize);
+ quint64 maxAllowedIncomingMessageSize() const;
+ static quint64 maxIncomingMessageSize();
+ static quint64 maxIncomingFrameSize();
+
+ void setOutgoingFrameSize(quint64 outgoingFrameSize);
+ quint64 outgoingFrameSize() const;
+ static quint64 maxOutgoingFrameSize();
+
private:
QWebSocketPrivate(QTcpSocket *pTcpSocket, QWebSocketProtocol::Version version);
void setVersion(QWebSocketProtocol::Version version);
@@ -250,6 +261,8 @@
QString m_httpStatusMessage;
QMultiMap<QString, QString> m_headers;
+ quint64 m_outgoingFrameSize;
+
friend class QWebSocketServerPrivate;
#ifdef Q_OS_WASM
emscripten::val socketContext = emscripten::val::null();
--- a/src/websockets/qwebsocketdataprocessor.cpp
+++ b/src/websockets/qwebsocketdataprocessor.cpp
@@ -105,6 +105,33 @@
}
}
+void QWebSocketDataProcessor::setMaxAllowedFrameSize(quint64 maxAllowedFrameSize)
+{
+ frame.setMaxAllowedFrameSize(maxAllowedFrameSize);
+}
+
+quint64 QWebSocketDataProcessor::maxAllowedFrameSize() const
+{
+ return frame.maxAllowedFrameSize();
+}
+
+/*!
+ \internal
+ */
+void QWebSocketDataProcessor::setMaxAllowedMessageSize(quint64 maxAllowedMessageSize)
+{
+ if (maxAllowedMessageSize <= maxMessageSize())
+ m_maxAllowedMessageSize = maxAllowedMessageSize;
+}
+
+/*!
+ \internal
+ */
+quint64 QWebSocketDataProcessor::maxAllowedMessageSize() const
+{
+ return m_maxAllowedMessageSize;
+}
+
/*!
\internal
*/
@@ -118,7 +145,7 @@
*/
quint64 QWebSocketDataProcessor::maxFrameSize()
{
- return MAX_FRAME_SIZE_IN_BYTES;
+ return QWebSocketFrame::maxFrameSize();
}
/*!
@@ -167,7 +194,7 @@
? quint64(m_textMessage.length())
: quint64(m_binaryMessage.length());
if (Q_UNLIKELY((messageLength + quint64(frame.payload().length())) >
- MAX_MESSAGE_SIZE_IN_BYTES)) {
+ maxAllowedMessageSize())) {
clear();
Q_EMIT errorEncountered(QWebSocketProtocol::CloseCodeTooMuchData,
tr("Received message is too big."));
--- a/src/websockets/qwebsocketdataprocessor_p.h
+++ b/src/websockets/qwebsocketdataprocessor_p.h
@@ -65,6 +65,8 @@
class QIODevice;
class QWebSocketFrame;
+const quint64 MAX_MESSAGE_SIZE_IN_BYTES = std::numeric_limits<int>::max() - 1;
+
class Q_AUTOTEST_EXPORT QWebSocketDataProcessor : public QObject
{
Q_OBJECT
@@ -74,6 +76,10 @@
explicit QWebSocketDataProcessor(QObject *parent = nullptr);
~QWebSocketDataProcessor() override;
+ void setMaxAllowedFrameSize(quint64 maxAllowedFrameSize);
+ quint64 maxAllowedFrameSize() const;
+ void setMaxAllowedMessageSize(quint64 maxAllowedMessageSize);
+ quint64 maxAllowedMessageSize() const;
static quint64 maxMessageSize();
static quint64 maxFrameSize();
@@ -115,6 +121,7 @@
QTextCodec *m_pTextCodec;
QWebSocketFrame frame;
QTimer waitTimer;
+ quint64 m_maxAllowedMessageSize = MAX_MESSAGE_SIZE_IN_BYTES;
bool processControlFrame(const QWebSocketFrame &frame);
void timeout();
--- a/src/websockets/qwebsocketframe.cpp
+++ b/src/websockets/qwebsocketframe.cpp
@@ -64,6 +64,31 @@
/*!
\internal
*/
+void QWebSocketFrame::setMaxAllowedFrameSize(quint64 maxAllowedFrameSize)
+{
+ if (maxAllowedFrameSize <= maxFrameSize())
+ m_maxAllowedFrameSize = maxAllowedFrameSize;
+}
+
+/*!
+ \internal
+ */
+quint64 QWebSocketFrame::maxAllowedFrameSize() const
+{
+ return m_maxAllowedFrameSize;
+}
+
+/*!
+ \internal
+ */
+quint64 QWebSocketFrame::maxFrameSize()
+{
+ return MAX_FRAME_SIZE_IN_BYTES;
+}
+
+/*!
+ \internal
+ */
QWebSocketProtocol::CloseCode QWebSocketFrame::closeCode() const
{
return isDone() ? m_closeCode : QWebSocketProtocol::CloseCodeGoingAway;
@@ -354,7 +379,7 @@
if (!m_length)
return PS_DISPATCH_RESULT;
- if (Q_UNLIKELY(m_length > MAX_FRAME_SIZE_IN_BYTES)) {
+ if (Q_UNLIKELY(m_length > maxAllowedFrameSize())) {
setError(QWebSocketProtocol::CloseCodeTooMuchData, tr("Maximum framesize exceeded."));
return PS_DISPATCH_RESULT;
}
CVE-2020-0570
问题描述:
Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.
修改情况:
参考社区修改已修补,https://code.qt.io/cgit/qt/qtbase.git/commit/?id=e6f1fde24f77f63fb16b2df239f82a89d2bf05dd
--- a/src/corelib/plugin/qlibrary_unix.cpp
+++ b/src/corelib/plugin/qlibrary_unix.cpp
@@ -1,7 +1,7 @@
/****************************************************************************
**
** Copyright (C) 2016 The Qt Company Ltd.
-** Copyright (C) 2018 Intel Corporation
+** Copyright (C) 2020 Intel Corporation
** Contact: https://www.qt.io/licensing/
**
** This file is part of the QtCore module of the Qt Toolkit.
@@ -218,6 +218,8 @@ bool QLibraryPrivate::load_sys()
for(int suffix = 0; retry && !pHnd && suffix < suffixes.size(); suffix++) {
if (!prefixes.at(prefix).isEmpty() && name.startsWith(prefixes.at(prefix)))
continue;
+ if (path.isEmpty() && prefixes.at(prefix).contains(QLatin1Char('/')))
+ continue;
if (!suffixes.at(suffix).isEmpty() && name.endsWith(suffixes.at(suffix)))
continue;
if (loadHints & QLibrary::LoadArchiveMemberHint) {
CVE-2018-19873
问题描述:
An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.
处理情况:
参考社区修改已修补,https://codereview.qt-project.org/c/qt/qtbase/+/238749
--- a/src/gui/image/qbmphandler.cpp
+++ b/src/gui/image/qbmphandler.cpp
@@ -188,6 +188,8 @@
if (!(comp == BMP_RGB || (nbits == 4 && comp == BMP_RLE4) ||
(nbits == 8 && comp == BMP_RLE8) || ((nbits == 16 || nbits == 32) && comp == BMP_BITFIELDS)))
return false; // weird compression type
+ if (bi.biWidth < 0 || quint64(bi.biWidth) * qAbs(bi.biHeight) > 16384 * 16384)
+ return false;
return true;
}
CVE-2020-24742
问题描述:
An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.
处理情况:
产品包未使用该功能。
CVE-2021-38593
问题描述:
Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).
处理情况:
产品包未使用该功能。
libjpeg-turbo
CVE-2020-13790
问题描述:
libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.
处理情况:
参考社区修改已修补,https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a
source->rescale = (JSAMPLE *)
(*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
- (size_t)(((long)maxval + 1L) *
+ (size_t)(((long)MAX(maxval, 255) + 1L) *
sizeof(JSAMPLE)));
half_maxval = maxval / 2;
for (val = 0; val <= (long)maxval; val++) {
CVE-2021-46822
问题描述:
The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This is related to a heap-based buffer overflow in the get_word_rgb_row function in rdppm.c.
处理情况:
参考社区修改已修补,https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f35fd27ec641c42d6b115bfa595e483ec58188d2
@@ -516,6 +516,11 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
register JSAMPLE *rescale = source->rescale;
JDIMENSION col;
unsigned int maxval = source->maxval;
+ register int rindex = rgb_red[cinfo->in_color_space];
+ register int gindex = rgb_green[cinfo->in_color_space];
+ register int bindex = rgb_blue[cinfo->in_color_space];
+ register int aindex = alpha_index[cinfo->in_color_space];
+ register int ps = rgb_pixelsize[cinfo->in_color_space];
if (!ReadOK(source->pub.input_file, source->iobuffer, source->buffer_width))
ERREXIT(cinfo, JERR_INPUT_EOF);
@@ -527,17 +532,20 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
temp |= UCH(*bufferptr++);
if (temp > maxval)
ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
- *ptr++ = rescale[temp];
+ ptr[rindex] = rescale[temp];
temp = UCH(*bufferptr++) << 8;
temp |= UCH(*bufferptr++);
if (temp > maxval)
ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
- *ptr++ = rescale[temp];
+ ptr[gindex] = rescale[temp];
temp = UCH(*bufferptr++) << 8;
temp |= UCH(*bufferptr++);
if (temp > maxval)
ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
- *ptr++ = rescale[temp];
+ ptr[bindex] = rescale[temp];
+ if (aindex >= 0)
+ ptr[aindex] = 0xFF;
+ ptr += ps;
}
return 1;
}
@@ -624,7 +632,10 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
cinfo->in_color_space = JCS_GRAYSCALE;
TRACEMS2(cinfo, 1, JTRC_PGM, w, h);
if (maxval > 255) {
- source->pub.get_pixel_rows = get_word_gray_row;
+ if (cinfo->in_color_space == JCS_GRAYSCALE)
+ source->pub.get_pixel_rows = get_word_gray_row;
+ else
+ ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
} else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) &&
cinfo->in_color_space == JCS_GRAYSCALE) {
source->pub.get_pixel_rows = get_raw_row;
@@ -647,7 +658,10 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
cinfo->in_color_space = JCS_EXT_RGB;
TRACEMS2(cinfo, 1, JTRC_PPM, w, h);
if (maxval > 255) {
- source->pub.get_pixel_rows = get_word_rgb_row;
+ if (IsExtRGB(cinfo->in_color_space))
+ source->pub.get_pixel_rows = get_word_rgb_row;
+ else
+ ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
} else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) &&
#if RGB_RED == 0 && RGB_GREEN == 1 && RGB_BLUE == 2 && RGB_PIXELSIZE == 3
(cinfo->in_color_space == JCS_EXT_RGB ||
flatbuffers
CVE-2020-35864
问题描述:
An issue was discovered in the flatbuffers crate through 2020-04-11 for Rust. read_scalar (and read_scalar_at) can transmute values without unsafe blocks.
处理情况:
误报,flatbuffer 的 rust 读写存在悬垂引用,C/C++ 不存在此情况。
libpng
CVE-2019-17371
问题描述:
gif2png 2.5.13 has a memory leak in the writefile function.
处理情况:
误报,这个漏洞是由于 gif2png 导致,并非 libpng 导致,NVD 以将其更正为 gif2png 问题。可参考:https://github.com/glennrp/libpng/issues/307#issuecomment-544779431