[Development] [Announce] Security advisory: Recently reported denial of service issue in QColorTransferGenericFunction impacts Qt
Ilya Fedin
fedin-ilja2010 at ya.ru
Wed Jul 16 20:29:10 CEST 2025
On Wed, 16 Jul 2025 09:31:38 +0200
Allan Sandfeld Jensen <kde at carewolf.com> wrote:
> On Tuesday, 15 July 2025 21:32:04 Central European Summer Time Ilya
> Fedin wrote:
> > On Tue, 15 Jul 2025 17:22:58 +0200
> >
> > Allan Sandfeld Jensen <kde at carewolf.com> wrote:
> > > On Tuesday, 15 July 2025 00:55:48 Central European Summer Time
> > > Ilya
> > >
> > > Fedin wrote:
> > > > Could it be used indirectly via other Qt APIs? Is e.g. reading
> > > > images via QImage from untrusted sources affected? Is there a
> > > > full list of Qt APIs affected?
> > >
> > > It only affects the QColorSpace and if you use single color
> > > transform to or from them, AND have built Qt in debug mode where
> > > it will trigger an assert as one of the color values become
> > > infinite and upon further work upon it NaN which could escape
> > > simple value clamping, but still trigger a later assert that
> > > clamping was successful.
> >
> > Ah, so release builds without asserts are unaffected?
> >
> > > So yes
> > > it can apply to a QImage, but only if you then access the
> > > QImage::colorSpace() create a QColorTransform to or from it, and
> > > use that to convert a QColor. If you do any other transform on
> > > them or is running in release, the behavior is technically
> > > undefined but will in practice only affect the output pixels,
> > > depending on what your CPU architecture does with NaN or INF
> > > float when converted to an integer.
> >
> > Thanks! Nice if that's like that... I've asked because a brief
> > search of QColorSpace::fromICCProfile in qtbase reveals that it's
> > used in qjpeghandler.cpp and qpnghandler.cpp:
> >
> > https://github.com/qt/qtbase/blob/d3f300dd3b7d88a729f4db2b61dc238ed6a47730/s
> > rc/gui/image/qpnghandler.cpp#L448
> >
> > https://github.com/qt/qtbase/blob/d3f300dd3b7d88a729f4db2b61dc238ed6a47730/s
> > rc/plugins/imageformats/jpeg/qjpeghandler.cpp#L1043
> >
> > Which looks to me like it should affect this QImage constructor:
> >
> > https://doc.qt.io/Qt-6/qimage.html#QImage-5
> >
> > And QImageReader. And that's only qtbase, I haven't searched other
> > modules...
> >
> > So, just to make sure, my understanding that those APIs are
> > affected is wrong, right?
> >
> Only indirectly, the assert is in QColorTransform
> https://doc.qt.io/qt-6/ qcolortransform.html#map-4[1]
>
> So yes, you can load a color profile that can trigger the issue with
> all those apis, but they wouldn't trigger it on their own. You then
> have to access the color profile of the image, make a color transform
> to or from it, and then use that transform on a QColor. I don't
> personally find that a common use-case, but it is possible.
>
> Best regards
> Allan
>
>
>
>
>
> --------
> [1] https://doc.qt.io/qt-6/qcolortransform.html#map-4
Thank you for clarification!
More information about the Development
mailing list