dcavalca / rpms / grub2

Forked from rpms/grub2 3 years ago
Clone

Blame SOURCES/0305-font-Do-not-load-more-than-one-NAME-section.patch

c4e390
From fff5140620c52db3b7ebca5921d1d237b1dcc7ae Mon Sep 17 00:00:00 2001
c4e390
From: Daniel Kiper <daniel.kiper@oracle.com>
c4e390
Date: Tue, 7 Jul 2020 15:36:26 +0200
c4e390
Subject: [PATCH 305/336] font: Do not load more than one NAME section
c4e390
c4e390
The GRUB font file can have one NAME section only. Though if somebody
c4e390
crafts a broken font file with many NAME sections and loads it then the
c4e390
GRUB leaks memory. So, prevent against that by loading first NAME
c4e390
section and failing in controlled way on following one.
c4e390
c4e390
Reported-by: Chris Coulson <chris.coulson@canonical.com>
c4e390
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
c4e390
Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
c4e390
Upstream-commit-id: 482814113dc
c4e390
---
c4e390
 grub-core/font/font.c | 6 ++++++
c4e390
 1 file changed, 6 insertions(+)
c4e390
c4e390
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
c4e390
index 71d3f78b88a..5ff5f438b40 100644
c4e390
--- a/grub-core/font/font.c
c4e390
+++ b/grub-core/font/font.c
c4e390
@@ -532,6 +532,12 @@ grub_font_load (const char *filename)
c4e390
       if (grub_memcmp (section.name, FONT_FORMAT_SECTION_NAMES_FONT_NAME,
c4e390
 		       sizeof (FONT_FORMAT_SECTION_NAMES_FONT_NAME) - 1) == 0)
c4e390
 	{
c4e390
+	  if (font->name != NULL)
c4e390
+	    {
c4e390
+	      grub_error (GRUB_ERR_BAD_FONT, "invalid font file: too many NAME sections");
c4e390
+	      goto fail;
c4e390
+	    }
c4e390
+
c4e390
 	  font->name = read_section_as_string (&section);
c4e390
 	  if (!font->name)
c4e390
 	    goto fail;
c4e390
-- 
c4e390
2.26.2
c4e390