|
|
468bd4 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
468bd4 |
From: Daniel Axtens <dja@axtens.net>
|
|
|
468bd4 |
Date: Fri, 15 Jan 2021 12:57:04 +1100
|
|
|
468bd4 |
Subject: [PATCH] video/readers/jpeg: Catch files with unsupported quantization
|
|
|
468bd4 |
or Huffman tables
|
|
|
468bd4 |
|
|
|
468bd4 |
Our decoder only supports 2 quantization tables. If a file asks for
|
|
|
468bd4 |
a quantization table with index > 1, reject it.
|
|
|
468bd4 |
|
|
|
468bd4 |
Similarly, our decoder only supports 4 Huffman tables. If a file asks
|
|
|
468bd4 |
for a Huffman table with index > 3, reject it.
|
|
|
468bd4 |
|
|
|
468bd4 |
This fixes some out of bounds reads. It's not clear what degree of control
|
|
|
468bd4 |
over subsequent execution could be gained by someone who can carefully
|
|
|
468bd4 |
set up the contents of memory before loading an invalid JPEG file.
|
|
|
468bd4 |
|
|
|
468bd4 |
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
|
468bd4 |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
468bd4 |
---
|
|
|
468bd4 |
grub-core/video/readers/jpeg.c | 8 ++++++++
|
|
|
468bd4 |
1 file changed, 8 insertions(+)
|
|
|
468bd4 |
|
|
|
468bd4 |
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
|
|
|
468bd4 |
index 0b6ce3cee64..23f919aa070 100644
|
|
|
468bd4 |
--- a/grub-core/video/readers/jpeg.c
|
|
|
468bd4 |
+++ b/grub-core/video/readers/jpeg.c
|
|
|
468bd4 |
@@ -333,7 +333,11 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
|
|
|
468bd4 |
else if (ss != JPEG_SAMPLING_1x1)
|
|
|
468bd4 |
return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
|
|
468bd4 |
"jpeg: sampling method not supported");
|
|
|
468bd4 |
+
|
|
|
468bd4 |
data->comp_index[id][0] = grub_jpeg_get_byte (data);
|
|
|
468bd4 |
+ if (data->comp_index[id][0] > 1)
|
|
|
468bd4 |
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
|
|
468bd4 |
+ "jpeg: too many quantization tables");
|
|
|
468bd4 |
}
|
|
|
468bd4 |
|
|
|
468bd4 |
if (data->file->offset != next_marker)
|
|
|
468bd4 |
@@ -602,6 +606,10 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
|
|
|
468bd4 |
ht = grub_jpeg_get_byte (data);
|
|
|
468bd4 |
data->comp_index[id][1] = (ht >> 4);
|
|
|
468bd4 |
data->comp_index[id][2] = (ht & 0xF) + 2;
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+ if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) ||
|
|
|
468bd4 |
+ (data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3))
|
|
|
468bd4 |
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index");
|
|
|
468bd4 |
}
|
|
|
468bd4 |
|
|
|
468bd4 |
grub_jpeg_get_byte (data); /* Skip 3 unused bytes. */
|