nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0287-font-Do-not-load-more-than-one-NAME-section.patch

5975ab
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
a4d572
From: Daniel Kiper <daniel.kiper@oracle.com>
a4d572
Date: Tue, 7 Jul 2020 15:36:26 +0200
5975ab
Subject: [PATCH] font: Do not load more than one NAME section
a4d572
a4d572
The GRUB font file can have one NAME section only. Though if somebody
a4d572
crafts a broken font file with many NAME sections and loads it then the
a4d572
GRUB leaks memory. So, prevent against that by loading first NAME
a4d572
section and failing in controlled way on following one.
a4d572
a4d572
Reported-by: Chris Coulson <chris.coulson@canonical.com>
a4d572
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
a4d572
Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
a4d572
Upstream-commit-id: 482814113dc
a4d572
---
a4d572
 grub-core/font/font.c | 6 ++++++
a4d572
 1 file changed, 6 insertions(+)
a4d572
a4d572
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
09e3cc
index d63354fb5..a7b955a1a 100644
a4d572
--- a/grub-core/font/font.c
a4d572
+++ b/grub-core/font/font.c
a4d572
@@ -532,6 +532,12 @@ grub_font_load (const char *filename)
a4d572
       if (grub_memcmp (section.name, FONT_FORMAT_SECTION_NAMES_FONT_NAME,
a4d572
 		       sizeof (FONT_FORMAT_SECTION_NAMES_FONT_NAME) - 1) == 0)
a4d572
 	{
a4d572
+	  if (font->name != NULL)
a4d572
+	    {
a4d572
+	      grub_error (GRUB_ERR_BAD_FONT, "invalid font file: too many NAME sections");
a4d572
+	      goto fail;
a4d572
+	    }
a4d572
+
a4d572
 	  font->name = read_section_as_string (&section);
a4d572
 	  if (!font->name)
a4d572
 	    goto fail;