nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0287-font-Do-not-load-more-than-one-NAME-section.patch

80913e
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
80913e
From: Daniel Kiper <daniel.kiper@oracle.com>
80913e
Date: Tue, 7 Jul 2020 15:36:26 +0200
80913e
Subject: [PATCH] font: Do not load more than one NAME section
80913e
80913e
The GRUB font file can have one NAME section only. Though if somebody
80913e
crafts a broken font file with many NAME sections and loads it then the
80913e
GRUB leaks memory. So, prevent against that by loading first NAME
80913e
section and failing in controlled way on following one.
80913e
80913e
Reported-by: Chris Coulson <chris.coulson@canonical.com>
80913e
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
80913e
Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
80913e
Upstream-commit-id: 482814113dc
80913e
---
80913e
 grub-core/font/font.c | 6 ++++++
80913e
 1 file changed, 6 insertions(+)
80913e
80913e
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
b32e65
index d63354fb5..a7b955a1a 100644
80913e
--- a/grub-core/font/font.c
80913e
+++ b/grub-core/font/font.c
80913e
@@ -532,6 +532,12 @@ grub_font_load (const char *filename)
80913e
       if (grub_memcmp (section.name, FONT_FORMAT_SECTION_NAMES_FONT_NAME,
80913e
 		       sizeof (FONT_FORMAT_SECTION_NAMES_FONT_NAME) - 1) == 0)
80913e
 	{
80913e
+	  if (font->name != NULL)
80913e
+	    {
80913e
+	      grub_error (GRUB_ERR_BAD_FONT, "invalid font file: too many NAME sections");
80913e
+	      goto fail;
80913e
+	    }
80913e
+
80913e
 	  font->name = read_section_as_string (&section);
80913e
 	  if (!font->name)
80913e
 	    goto fail;