Summary:
I had a look at some image loading code in kimageformats and found memory
corruption bugs (there might be more):
- oobwrite4b.xcf: OOB write in kimg_xcf:
By overflowing the "size = 3 * ncolors + 4;" calculation, it's possible to make
size == 3 or size == 0, which then allows 1 or 4 bytes to be overwritten:
https://cgit.kde.org/kimageformats.git/tree/src/imageformats/xcf.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n484
The values aren't arbitrary, so AFAICT DoS only.
Fix is to move the sanity check for size below the assignment.
- oobread.tga: OOB read in kimg_tga:
By overflowing the "size = tga.width * tga.height * pixel_size" calculation,
it's possible to cause OOB reads later on as the image data array is too small:
https://cgit.kde.org/kimageformats.git/tree/src/imageformats/tga.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n192
Fix is to use a 64bit integer instead.
- oobwrite4b.tga/oobwrite507.tga: OOB write in kimg_tga
If RLE is enabled, any size checks are skipped, so it's possible to write
either 128 repetitions of an arbitrary four byte value (oobwrite4b.tga)
or or 507 arbitrary bytes (oobwrite507.tga) out of bounds.
https://cgit.kde.org/kimageformats.git/tree/src/imageformats/tga.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n209
Fix is to check for "num" being negative before reading into the buffer.
Also, bail out early if there is no more data available (reading a 65kx65k px image from 14B data takes ages otherwise)
Test Plan:
Stopped crashing and valgrind don't complain anymore.
TGA preview still works for valid files.
Reviewers: aacid
Reviewed By: aacid
Subscribers: lbeltrame, kde-frameworks-devel
Tags: #frameworks
Differential Revision: https://phabricator.kde.org/D18574
Summary:
The code is even simpler this way.
Found by using heaptrack.
Test Plan: the unittest for rgb still passes.
Reviewers: cfeck
Reviewed By: cfeck
Subscribers: jtamate, kde-frameworks-devel
Tags: #frameworks
Differential Revision: https://phabricator.kde.org/D15890
Summary:
Deny any capabilities when there is no QApp instance.
BUG: 397040
Test Plan:
Untested, as I do not experience the bug on my system and had no time to
invest into trying to.
Reviewers: zccrs, dfaure, pino
Reviewed By: dfaure
Subscribers: kde-frameworks-devel
Tags: #frameworks
Differential Revision: https://phabricator.kde.org/D15405
The GIMP image loader had a limit to 16K x 16K pixels, because this would
already exhaust the 2 GByte address space limit of 32 bit systems.
Remove this limit on 64 bit systems to allow the full 32K x 32K size.
BUG: 391970
Differential Revision: https://phabricator.kde.org/D12557
The JSON file argument is passed to Q_PLUGIN_METADATA, which is a no-code
macro at the C++ level and only used to note information used by moc
for the generated moc file.
So when the content of the JSON file has changed, this will not change
anything in the preprocessed source file itself. It only has an effect on
the content of the moc file generated based on it, which is either included
and thus already triggers a dependecy or generated by automoc and compiled
separately into the target with the needed dependencies.
It is automoc which needs to properly trigger a recreation of the moc
file when checking the sources (and at least in 3.9 & 10 does),
and this is nothing that can be influenced by dependency rules.
