Qt-Quoted-Printable icon indicating copy to clipboard operation
Qt-Quoted-Printable copied to clipboard
verified publisher icon bluetiger9

Crash on malformed quoted printable strings in decode()

Open ghost opened this issue 13 years ago • 1 comments

Test case:

void testQuotedPrintable()
{
    QString malformed = QString::fromLatin1("=40=");
    QuotedPrintable::decode(malformed);
}

Since this code:

        if (input.at(i).toAscii() == '=')
        {
            output->append((hexVal[input.at(++i).toAscii() - '0'] << 4) + hexVal[input.at(++i).toAscii() - '0']);
        }

never checks the length of the input string, input.at(++i) may access the data outside of the string, sometimes resulting in a crash.

********* Start testing of Test *********
Config: Using QTest library 4.8.3, Qt 4.8.3
PASS   : Test::initTestCase()
QFATAL : Test::testQuotedPrintable() ASSERT: "uint(i) < uint(size())" in file /usr/include/qt4/QtCore/qstring.h, line 699
FAIL!  : Test::testQuotedPrintable() Received a fatal error.
   Loc: [Unknown file(0)]
Totals: 1 passed, 1 failed, 0 skipped
********* Finished testing of Test *********

ghost avatar Feb 10 '13 14:02 ghost

Another issue is that when the function tries to decode a malformed string (like '=\xFF\xFF'), it goes out of hexVal array bounds.

While this possibly won't crash the application (unless the stack is almost exhausted), combined with another attack this may allow the attacker to read the data from the stack.

ghost avatar Feb 10 '13 20:02 ghost