QtCore Denial-of-Service Vulnerability in qDecodeDataUrl Private API

A denial-of-service vulnerability has been identified in the private API function qDecodeDataUrl() within QtCore. This function is utilized by QTextDocument and QNetworkReply, and potentially in user code. The issue arises when qDecodeDataUrl() is called with malformed data, such as a URL containing a 'charset' parameter without a value (e.g., 'data:charset,'). If Qt is compiled with assertions enabled, this will trigger an assertion failure, causing an application abort. The vulnerability affects Qt versions prior to 5.15.19, 6.0.0 through 6.5.8, 6.6.0 through 6.8.3, and 6.9.0.

Impact

Exploiting this vulnerability leads to a crash of the application, causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by calling the qDecodeDataUrl() function with a malformed data URL that includes a 'charset' parameter without a value. This can be done in a Qt application that uses QTextDocument or QNetworkReply, while ensuring that Qt is built with assertions enabled.

Remediation

Users can upgrade to Qt versions 5.15.19, 6.5.9, 6.8.4, or 6.9.1 to address this vulnerability.