[Announce] Qt Security Advisory: DoS vulnerability in the GIF image handler

List for announcements regarding Qt releases and development announce at qt-project.org
Thu Apr 24 20:48:21 CEST 2014

Qt Project Security Advisory

Title:        DoS vulnerability in the GIF image handler
Risk Rating:  Low
CVE:          CVE-2014-0190
Platforms:    All
Modules:      QtBase
Versions:     All versions before 5.3
Author:       Richard J. Moore <rich at kde.org> and Lars Knoll <lars.knoll at digia.com>
Date:         24 April 2014


The builtin GIF decoder in QtGui prior to Qt 5.3 contained a bug that would lead
to a null pointer dereference when loading certain hand crafted corrupt GIF files.
This in turn would cause the application loading these hand crafted GIFs to crash.


It is possible to construct GIF files with invalid width and height specifications that
would cause Qt to not create an image for them. The resulting null pointer for the
image data would then get dereferenced for writing into it leading to a crash in the
application. Qt versions prior to 5.3 did not properly check for the image data being
null before accessing it.


An application loading the malicious GIF file will crash.




Upgrade to Qt 5.3 once released or apply the patches below:

For Qt 5.0 to 5.2:


For Qt 4.8:



The Qt security team would like to thank Wolfgang Schenk for reporting the issue and Rich Moore for
providing the initial analysis and fix.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/announce/attachments/20140424/7f175133/attachment.html>

More information about the Announce mailing list