Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-91770

qvnc: Arbitrary memory read vulnerability

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P1: Critical
    • Resolution: Done
    • Affects Version/s: 5.12.10, 6.0.2
    • Fix Version/s: 5.12.11, 5.15.5, 6.1.1, 6.2.0 Alpha
    • Component/s: QPA
    • Labels:
      None

      Description

      qtbase/src/plugins/platforms/vnc/qvncclient.cpp:
      QVncClient::frameBufferUpdateRequest() does no boundary checks on client provided rectangle size.

      qtbase/src/plugins/platforms/vnc/qvnc.cpp:

      void QRfbRawEncoder::write()
      {
          // ...
              const uchar *screendata = screenImage.scanLine(rect.y)
                                        + rect.x * screenImage.depth() / 8;
      

      The unchecked rectangle size is used to calculate a memory offset. Whatever is at that location is encoded into pixels and sent to the client.

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            Assignee:
            vgt Eirik Aavitsland
            Reporter:
            youduda Florian Freund
            PM Owner:
            Veli-Pekka Heinonen Veli-Pekka Heinonen
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: