On Tue, 15 Jul 2025 17:22:58 +0200 Allan Sandfeld Jensen <k...@carewolf.com> wrote:
> On Tuesday, 15 July 2025 00:55:48 Central European Summer Time Ilya > Fedin wrote: > > > > Could it be used indirectly via other Qt APIs? Is e.g. reading > > images via QImage from untrusted sources affected? Is there a full > > list of Qt APIs affected? > > It only affects the QColorSpace and if you use single color transform > to or from them, AND have built Qt in debug mode where it will > trigger an assert as one of the color values become infinite and upon > further work upon it NaN which could escape simple value clamping, > but still trigger a later assert that clamping was successful. Ah, so release builds without asserts are unaffected? > So yes > it can apply to a QImage, but only if you then access the > QImage::colorSpace() create a QColorTransform to or from it, and use > that to convert a QColor. If you do any other transform on them or is > running in release, the behavior is technically undefined but will in > practice only affect the output pixels, depending on what your CPU > architecture does with NaN or INF float when converted to an integer. Thanks! Nice if that's like that... I've asked because a brief search of QColorSpace::fromICCProfile in qtbase reveals that it's used in qjpeghandler.cpp and qpnghandler.cpp: https://github.com/qt/qtbase/blob/d3f300dd3b7d88a729f4db2b61dc238ed6a47730/src/gui/image/qpnghandler.cpp#L448 https://github.com/qt/qtbase/blob/d3f300dd3b7d88a729f4db2b61dc238ed6a47730/src/plugins/imageformats/jpeg/qjpeghandler.cpp#L1043 Which looks to me like it should affect this QImage constructor: https://doc.qt.io/Qt-6/qimage.html#QImage-5 And QImageReader. And that's only qtbase, I haven't searched other modules... So, just to make sure, my understanding that those APIs are affected is wrong, right? > > Best regards > Allan > > -- Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
