Source: qtbase-opensource-src
Version: 5.15.10+dfsg-6
Severity: normal
Tags: patch security
Dear Maintainer,
Security advisory CVE-2024-25580, a buffer overflow affecting KTX image
handling in QT, has been announced[1], and the announcement includes patches
for various versions of QT including the v5.15 branch.
I've confirmed that the patch applies cleanly to qtbase-opensource-src versions
5.15.8+dfsg-11 (bookworm / stable) and 5.15.10+dfsg-6 (trixie / testing), and
have successfully compiled the trixie package.
Please find attached the v5.15 patch from upstream.
( sha256sum 7cc9bf74f696de8ec5386bb80ce7a2fed5aa3870ac0e2c7db4628621c5c1a731 )
Regards,
James
[1] - https://lists.qt-project.org/pipermail/announce/2024-February/000472.html
diff --git a/src/gui/util/qktxhandler.cpp b/src/gui/util/qktxhandler.cpp
index 0d98e97453..6a79e55109 100644
--- a/src/gui/util/qktxhandler.cpp
+++ b/src/gui/util/qktxhandler.cpp
@@ -73,7 +73,7 @@ struct KTXHeader {
quint32 bytesOfKeyValueData;
};
-static const quint32 headerSize = sizeof(KTXHeader);
+static constexpr quint32 qktxh_headerSize = sizeof(KTXHeader);
// Currently unused, declared for future reference
struct KTXKeyValuePairItem {
@@ -103,11 +103,36 @@ struct KTXMipmapLevel {
*/
};
-bool QKtxHandler::canRead(const QByteArray , const QByteArray )
+static bool qAddOverflow(quint32 v1, quint32 v2, quint32 *r) {
+// unsigned additions are well-defined
+*r = v1 + v2;
+return v1 > quint32(v1 + v2);
+}
+
+// Returns the nearest multiple of 4 greater than or equal to 'value'
+static bool nearestMultipleOf4(quint32 value, quint32 *result)
+{
+constexpr quint32 rounding = 4;
+*result = 0;
+if (qAddOverflow(value, rounding - 1, result))
+return true;
+*result &= ~(rounding - 1);
+return false;
+}
+
+// Returns a slice with prechecked bounds
+static QByteArray safeSlice(const QByteArray& array, quint32 start, quint32
length)
{
-Q_UNUSED(suffix)
+quint32 end = 0;
+if (qAddOverflow(start, length, ) || end > quint32(array.length()))
+return {};
+return QByteArray(array.data() + start, length);
+}
-return (qstrncmp(block.constData(), ktxIdentifier, KTX_IDENTIFIER_LENGTH)
== 0);
+bool QKtxHandler::canRead(const QByteArray , const QByteArray )
+{
+Q_UNUSED(suffix);
+return block.startsWith(QByteArray::fromRawData(ktxIdentifier,
KTX_IDENTIFIER_LENGTH));
}
QTextureFileData QKtxHandler::read()
@@ -115,42 +140,97 @@ QTextureFileData QKtxHandler::read()
if (!device())
return QTextureFileData();
-QByteArray buf = device()->readAll();
-const quint32 dataSize = quint32(buf.size());
-if (dataSize < headerSize || !canRead(QByteArray(), buf)) {
-qCDebug(lcQtGuiTextureIO, "Invalid KTX file %s",
logName().constData());
+const QByteArray buf = device()->readAll();
+if (size_t(buf.size()) > std::numeric_limits::max()) {
+qWarning(lcQtGuiTextureIO, "Too big KTX file %s",
logName().constData());
+return QTextureFileData();
+}
+
+if (!canRead(QByteArray(), buf)) {
+qWarning(lcQtGuiTextureIO, "Invalid KTX file %s",
logName().constData());
+return QTextureFileData();
+}
+
+if (buf.size() < qsizetype(qktxh_headerSize)) {
+qWarning(lcQtGuiTextureIO, "Invalid KTX header size in %s",
logName().constData());
return QTextureFileData();
}
-const KTXHeader *header = reinterpret_cast(buf.constData());
-if (!checkHeader(*header)) {
-qCDebug(lcQtGuiTextureIO, "Unsupported KTX file format in %s",
logName().constData());
+KTXHeader header;
+memcpy(, buf.data(), qktxh_headerSize);
+if (!checkHeader(header)) {
+qWarning(lcQtGuiTextureIO, "Unsupported KTX file format in %s",
logName().constData());
return QTextureFileData();
}
QTextureFileData texData;
texData.setData(buf);
-texData.setSize(QSize(decode(header->pixelWidth),
decode(header->pixelHeight)));
-texData.setGLFormat(decode(header->glFormat));
-texData.setGLInternalFormat(decode(header->glInternalFormat));
-texData.setGLBaseInternalFormat(decode(header->glBaseInternalFormat));
-
-texData.setNumLevels(decode(header->numberOfMipmapLevels));
-quint32 offset = headerSize + decode(header->bytesOfKeyValueData);
-const int maxLevels = qMin(texData.numLevels(), 32); // Cap
iterations in case of corrupt file.
-for (int i = 0; i < maxLevels; i++) {
-if (offset + sizeof(KTXMipmapLevel) > dataSize)//
Corrupt file; avoid oob read
-break;
-const KTXMipmapLevel *level = reinterpret_cast(buf.constData() + offset);
-quint32 levelLen = decode(level->imageSize);
-texData.setDataOffset(offset + sizeof(KTXMipmapLevel::imageSize), i);
-texData.setDataLength(levelLen, i);
-offset += sizeof(KTXMipmapLevel::imageSize) + levelLen + (3 -
((levelLen + 3) % 4));
+
