<table><tr><td style="">fvogt edited the summary of this revision. <a href="https://phabricator.kde.org/transactions/detail/PHID-XACT-DREV-vg7pnpqbbz7qrix/">(Show Details)</a><br />fvogt edited the test plan for this revision. <a href="https://phabricator.kde.org/transactions/detail/PHID-XACT-DREV-orep5vczq6tq5dz/">(Show Details)</a>
</td><a style="text-decoration: none; padding: 4px 8px; margin: 0 8px 8px; float: right; color: #464C5C; font-weight: bold; border-radius: 3px; background-color: #F7F7F9; background-image: linear-gradient(to bottom,#fff,#f1f0f1); display: inline-block; border: 1px solid rgba(71,87,120,.2);" href="https://phabricator.kde.org/D18574">View Revision</a></tr></table><br /><div><strong>CHANGES TO REVISION SUMMARY</strong><div><div style="white-space: pre-wrap; color: #74777D;"><span style="padding: 0 2px; color: #333333; background: rgba(151, 234, 151, .6);">I had a look at some image loading code in kimageformats and found memory<br />
corruption bugs (there might be more):<br />
<br />
- oobwrite4b.xcf: OOB write in kimg_xcf:<br />
<br />
By overflowing the "size = 3 * ncolors + 4;" calculation, it's possible to make<br />
size == 3 or size == 0, which then allows 1 or 4 bytes to be overwritten:<br />
https://cgit.kde.org/kimageformats.git/tree/src/imageformats/xcf.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n484<br />
The values aren't arbitrary, so AFAICT DoS only.<br />
Fix is to move the sanity check for size below the assignment.<br />
<br />
- oobread.tga: OOB read in kimg_tga:<br />
<br />
By overflowing the "size = tga.width * tga.height * pixel_size" calculation,<br />
it's possible to cause OOB reads later on as the image data array is too small:<br />
https://cgit.kde.org/kimageformats.git/tree/src/imageformats/tga.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n192<br />
Fix is to use a 64bit integer instead.<br />
<br />
- oobwrite4b.tga/oobwrite507.tga: OOB write in kimg_tga<br />
<br />
If RLE is enabled, any size checks are skipped, so it's possible to write<br />
either 128 repetitions of an arbitrary four byte value (oobwrite4b.tga)<br />
or or 507 arbitrary bytes (oobwrite507.tga) out of bounds.<br />
https://cgit.kde.org/kimageformats.git/tree/src/imageformats/tga.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n209<br />
Fix is to check for "num" being negative before reading into the buffer.<br />
<br />
Also, bail out early if there is no more data available (reading a 65kx65k px image from 14B data takes ages otherwise)</span></div></div></div><br /><div><strong>CHANGES TO TEST PLAN</strong><div><div style="white-space: pre-wrap; color: #74777D;"><span style="padding: 0 2px; color: #333333; background: rgba(251, 175, 175, .7);">No</span><span style="padding: 0 2px; color: #333333; background: rgba(151, 234, 151, .6);">Stopped</span> crash<span style="padding: 0 2px; color: #333333; background: rgba(151, 234, 151, .6);">ing and valgrind don't complain</span> anym<span style="padding: 0 2px; color: #333333; background: rgba(251, 175, 175, .7);">ore</span><span style="padding: 0 2px; color: #333333; background: rgba(151, 234, 151, .6);">ore.<br />
<br />
TGA preview still works for valid files</span>.</div></div></div><br /><div><strong>REPOSITORY</strong><div><div>R287 KImageFormats</div></div></div><br /><div><strong>REVISION DETAIL</strong><div><a href="https://phabricator.kde.org/D18574">https://phabricator.kde.org/D18574</a></div></div><br /><div><strong>To: </strong>fvogt, aacid<br /><strong>Cc: </strong>lbeltrame, kde-frameworks-devel, michaelh, ngraham, bruns<br /></div>