Qt Project Security Advisory ---------------------------- Title: DoS vulnerability in the BMP image handler Risk Rating: Low CVE: CVE-2015-0295 Platforms: All Modules: QtBase Versions: All versions before 5.5 Author: Richard J. Moore <rich at kde.org> Date: 22 February 2015
Overview -------- The builtin BMP decoder in QtGui prior to Qt 5.5 contained a bug that would lead to a divsion by zero when loading certain corrupt BMP files. This in turn would cause the application loading these hand crafted BMPs to crash. Details ------- It is possible to construct BMP files such that when calculating the masks required to extract the colour components a division by zero occurred. Impact ------ An application loading the malicious BMP file will crash. Workaround ---------- None Solution -------- Upgrade to Qt 5.5 once released or apply the patches below: For Qt 5.0 to 5.4: https://codereview.qt-project.org/106929 For Qt 4.8: https://codereview.qt-project.org/107108 Credits ======= The Qt security team would like to thank Fabian Vogt for reporting the issue.
_______________________________________________ Announce mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/announce
_______________________________________________ Development mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/development
