Hide Forgot
An out-of-bounds (OOB) memory access flaw was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt. While processing a crafted svg input file, parsed doubles to float representable values, and this may lead to an unauthorised memory access problem, and may even lead to a denial-of-service. References: https://bugreports.qt.io/browse/QTBUG-91507
Created qt tracking bugs for this issue: Affects: fedora-all [bug 1931445] Created qt5 tracking bugs for this issue: Affects: fedora-all [bug 1931447]
QRadialFetchSimd was added in Qt 4.8.0. Qt 3 and versions of Qt 4 up to 4.7.x are not affected. The qt (4), qt5-qtbase, and qt6-qtbase packages in Fedora are probably affected, but without the details of the vulnerability (the referenced bug is private), I cannot tell for sure.
Upstream bug: https://bugreports.qt.io/browse/QTBUG-91507
Do we have CVE for this security issue?
In reply to comment #4: > Do we have CVE for this security issue? Not yet. The issue is still under analysis. We can assign one if needed after the analysis is done.
In reply to comment #4: > Do we have CVE for this security issue? We now do: CVE-2021-3481 was assigned to it.
Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Created qt3 tracking bugs for this issue: Affects: fedora-all [bug 1947272]
> Created qt3 tracking bugs for this issue: > > Affects: fedora-all [bug 1947272] Why? QRadialFetchSimd was added in Qt 4.8.0, so I do not see how qt3 can possibly be affected.
Hi, thank you for confirmation. Following the crash path it was leading to a crash in fetch() while performing operations on the double datatype to float, ~~ UndefinedBehaviorSanitizer can not provide additional info. SUMMARY: UndefinedBehaviorSanitizer: SEGV /src/qt/qtbase/src/gui/painting/qdrawhelper_p.h:601:13 in QRadialFetchSimd<QSimdSse2>::fetch(unsigned int*, unsigned int*, Operator const*, QSpanData const*, double, double, double, double, double) ==12881==ABORTING ~~~ This Bugzilla was just a place holder if we are doing something similar somewhere (double->float) in qt3 as well while rendering and displaying a Scalable Vector Graphics (SVG) file. Feel free to close this, if my assumption was wrong. Regards.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4172 https://access.redhat.com/errata/RHSA-2021:4172
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3481