Trolltech provides patch to Qt 3 and Qt 4, addressing potential vulnerability
03 September - 2007
Qt 3 and Qt 4 have a potential vulnerability in QUtf8Decoder, which might cause a one-byte buffer overflow. This problem is not exploitable in Qt 4. To solve the issue, apply the following patches for Qt 3 and Qt 4. The next maintenance release of Qt 4 will have the patch included.
This vulnerability has been assigned CVE-2007-4137.
Thanks to Dirk Mueller of KDE for reporting this vulnerability.
Qt4
--- src/corelib/codecs/qutfcodec.cpp
+++ src/corelib/codecs/qutfcodec.cpp
@@ -140,7 +140,7 @@ void QUtf8Codec::convertToUnicode(QString *target, const char *chars, int len, C
int originalLength = target->length();
QString &result = *target;
- result.resize(originalLength + len); // worst case
+ result.resize(originalLength + len + 1); // worst case
QChar *qch = result.data() + originalLength;
uchar ch;
int invalid = 0;
Qt3
--- src/codecs/qutfcodec.cpp
+++ src/codecs/qutfcodec.cpp
@@ -165,7 +165,7 @@ public:
QString toUnicode(const char* chars, int len)
{
QString result;
- result.setLength( len ); // worst case
+ result.setLength( len + 1 ); // worst case
QChar *qch = (QChar *)result.unicode();
uchar ch;
int error = -1;
