[Announce] Qt Security Advisory: DoS vulnerability in the GIF image handler
List for announcements regarding Qt releases and development
announce at qt-project.org
Thu Apr 24 20:48:21 CEST 2014
Qt Project Security Advisory
Title: DoS vulnerability in the GIF image handler
Risk Rating: Low
Versions: All versions before 5.3
Author: Richard J. Moore <rich at kde.org> and Lars Knoll <lars.knoll at digia.com>
Date: 24 April 2014
The builtin GIF decoder in QtGui prior to Qt 5.3 contained a bug that would lead
to a null pointer dereference when loading certain hand crafted corrupt GIF files.
This in turn would cause the application loading these hand crafted GIFs to crash.
It is possible to construct GIF files with invalid width and height specifications that
would cause Qt to not create an image for them. The resulting null pointer for the
image data would then get dereferenced for writing into it leading to a crash in the
application. Qt versions prior to 5.3 did not properly check for the image data being
null before accessing it.
An application loading the malicious GIF file will crash.
Upgrade to Qt 5.3 once released or apply the patches below:
For Qt 5.0 to 5.2:
For Qt 4.8:
The Qt security team would like to thank Wolfgang Schenk for reporting the issue and Rich Moore for
providing the initial analysis and fix.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Announce