[Development] [Announce] Security advisory: Recently reported denial of service issue in QColorTransferGenericFunction impacts Qt

[Ilya Fedin]

On Tue, 15 Jul 2025 17:22:58 +0200
Allan Sandfeld Jensen <kde at carewolf.com> wrote:

> On Tuesday, 15 July 2025 00:55:48 Central European Summer Time Ilya
> Fedin wrote:
> > 
> > Could it be used indirectly via other Qt APIs? Is e.g. reading
> > images via QImage from untrusted sources affected? Is there a full
> > list of Qt APIs affected?  
> 
> It only affects the QColorSpace and if you use single color transform
> to or from them, AND have built Qt in debug mode where it will
> trigger an assert as one of the color values become infinite and upon
> further work upon it NaN which could escape simple value clamping,
> but still trigger a later assert that clamping was successful.

Ah, so release builds without asserts are unaffected?

> So yes
> it can apply to a QImage, but only if you then access the
> QImage::colorSpace() create a QColorTransform to or from it, and use
> that to convert a QColor. If you do any other transform on them or is
> running in release, the behavior is technically undefined but will in
> practice only affect the output pixels, depending on what your CPU
> architecture does with NaN or INF float when converted to an integer. 

Thanks! Nice if that's like that... I've asked because a brief search of
QColorSpace::fromICCProfile in qtbase reveals that it's used in
qjpeghandler.cpp and qpnghandler.cpp:

https://github.com/qt/qtbase/blob/d3f300dd3b7d88a729f4db2b61dc238ed6a47730/src/gui/image/qpnghandler.cpp#L448

https://github.com/qt/qtbase/blob/d3f300dd3b7d88a729f4db2b61dc238ed6a47730/src/plugins/imageformats/jpeg/qjpeghandler.cpp#L1043

Which looks to me like it should affect this QImage constructor:

https://doc.qt.io/Qt-6/qimage.html#QImage-5

And QImageReader. And that's only qtbase, I haven't searched other
modules...

So, just to make sure, my understanding that those APIs are affected is
wrong, right?

> 
> Best regards
> Allan
> 
>