nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0244-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch

1c6ba0
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
1c6ba0
From: Daniel Axtens <dja@axtens.net>
1c6ba0
Date: Tue, 6 Jul 2021 23:25:07 +1000
1c6ba0
Subject: [PATCH] video/readers/png: Avoid heap OOB R/W inserting huff table
1c6ba0
 items
1c6ba0
1c6ba0
In fuzzing we observed crashes where a code would attempt to be inserted
1c6ba0
into a huffman table before the start, leading to a set of heap OOB reads
1c6ba0
and writes as table entries with negative indices were shifted around and
1c6ba0
the new code written in.
1c6ba0
1c6ba0
Catch the case where we would underflow the array and bail.
1c6ba0
1c6ba0
Fixes: CVE-2021-3696
1c6ba0
1c6ba0
Signed-off-by: Daniel Axtens <dja@axtens.net>
1c6ba0
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1c6ba0
(cherry picked from commit 1ae9a91d42cb40da8a6f11fac65541858e340afa)
1c6ba0
(cherry picked from commit 132ccc681cf642ad748580f26b54c9259a7f43fd)
1c6ba0
---
1c6ba0
 grub-core/video/readers/png.c | 7 +++++++
1c6ba0
 1 file changed, 7 insertions(+)
1c6ba0
1c6ba0
diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
1c6ba0
index a3161e25b6..d7ed5aa6cf 100644
1c6ba0
--- a/grub-core/video/readers/png.c
1c6ba0
+++ b/grub-core/video/readers/png.c
1c6ba0
@@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len)
1c6ba0
   for (i = len; i < ht->max_length; i++)
1c6ba0
     n += ht->maxval[i];
1c6ba0
 
1c6ba0
+  if (n > ht->num_values)
1c6ba0
+    {
1c6ba0
+      grub_error (GRUB_ERR_BAD_FILE_TYPE,
1c6ba0
+		  "png: out of range inserting huffman table item");
1c6ba0
+      return;
1c6ba0
+    }
1c6ba0
+
1c6ba0
   for (i = 0; i < n; i++)
1c6ba0
     ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];
1c6ba0