Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-91770

qvnc: Arbitrary memory read vulnerability

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P1: Critical
    • 5.12.11, 5.15.5, 6.1.1, 6.2.0 Alpha
    • 5.12.10, 6.0.2
    • QPA
    • None
    • c494c1e8754ed13b409133196d9db00bf7e0f2b5 (qt/qtbase/dev) d4d9b4875e175b6d26fee428a8e0dd0d388fb5d8 (qt/qtbase/6.1) 29b06697843851cd577cef7d69c428195cf08f4b (qt/qtbase/5.12) 68c016cf0925b700235c5780b50ed554428a2fdb (qt/tqtc-qtbase/5.15)

    Description

      qtbase/src/plugins/platforms/vnc/qvncclient.cpp:
      QVncClient::frameBufferUpdateRequest() does no boundary checks on client provided rectangle size.

      qtbase/src/plugins/platforms/vnc/qvnc.cpp:

      void QRfbRawEncoder::write()
{
    // ...
        const uchar *screendata = screenImage.scanLine(rect.y)
                                  + rect.x * screenImage.depth() / 8;

      The unchecked rectangle size is used to calculate a memory offset. Whatever is at that location is encoded into pixels and sent to the client.

      Attachments

        Activity

          People

            vgt Eirik Aavitsland
            youduda Florian Freund
            Veli-Pekka Heinonen Veli-Pekka Heinonen
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: