Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-91770

qvnc: Arbitrary memory read vulnerability

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P1: Critical
    • Resolution: Done
    • Affects Version/s: 5.12.10, 6.0.2
    • Fix Version/s: 5.12.11, 5.15.5, 6.1.1, 6.2.0 Alpha
    • Component/s: QPA
    • Labels:
      None
    • Commits:
      c494c1e8754ed13b409133196d9db00bf7e0f2b5 (qt/qtbase/dev) d4d9b4875e175b6d26fee428a8e0dd0d388fb5d8 (qt/qtbase/6.1) 29b06697843851cd577cef7d69c428195cf08f4b (qt/qtbase/5.12) 68c016cf0925b700235c5780b50ed554428a2fdb (qt/tqtc-qtbase/5.15)

      Description

      qtbase/src/plugins/platforms/vnc/qvncclient.cpp:
      QVncClient::frameBufferUpdateRequest() does no boundary checks on client provided rectangle size.

      qtbase/src/plugins/platforms/vnc/qvnc.cpp:

      void QRfbRawEncoder::write()
      {
          // ...
              const uchar *screendata = screenImage.scanLine(rect.y)
                                        + rect.x * screenImage.depth() / 8;
      

      The unchecked rectangle size is used to calculate a memory offset. Whatever is at that location is encoded into pixels and sent to the client.

        Attachments

        For Gerrit Dashboard: QTBUG-91770
        # Subject Branch Project Status CR V

          Activity

            People

            Assignee:
            vgt Eirik Aavitsland
            Reporter:
            youduda Florian Freund
            PM Owner:
            Veli-Pekka Heinonen Veli-Pekka Heinonen
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: