Dirk Mueller reported an off by one buffer overflow flaw in the way QT parses certain unicode strings. To quote Dirk: I`ve found a off-by-one buffer overflow in QUtf8Decoder::toUnicode(). It is not exploitable with Qt 4.x or above because there is an additional QChar(0) being allocated in QString, however it is still a bug there, as the array returned by utf16() etc is no longer terminated properly.
Created attachment 181821 [details] Proposed patch for QT3
Created attachment 181841 [details] Proposed patch for QT4
public, removing embargo http://trolltech.com/company/newsroom/announcements/press.2007-09-03.7564032119
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2007-0883.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2007-2216