Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-91769

qvnc: Denial of Service due to unchecked allocation

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Reported
    • Priority: P4: Low
    • Resolution: Unresolved
    • Affects Version/s: 5.12.10, 6.0.2
    • Fix Version/s: None
    • Component/s: QPA
    • Labels:
      None

      Description

      qtbase/src/plugins/platforms/vnc/qvncclient.cpp:

      void QVncClient::clientCutText()
      {
          // ...
          // implicit uint32 to int32 conversion
          m_cutTextPending = ev.length;
          // ...
          // If the client sets ev.length to UINT_MAX - 1 then this condition is always true because m_cutTextPending == -2
          if (m_cutTextPending && m_clientSocket->bytesAvailable() >= m_cutTextPending) {
              // negative allocation
              char *text = new char [m_cutTextPending+1];
              // ...
          }
      

      m_cutTextPending is client provided and allows the client to force an allocation of negative size (std::bad_alloc exception).

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            Assignee:
            vestbo Tor Arne Vestbø
            Reporter:
            youduda Florian Freund
            PM Owner:
            Veli-Pekka Heinonen Veli-Pekka Heinonen
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:

                Gerrit Reviews

                There are no open Gerrit changes