|
|
bf0270 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
bf0270 |
From: Daniel Axtens <dja@axtens.net>
|
|
|
bf0270 |
Date: Wed, 7 Jul 2021 15:38:19 +1000
|
|
|
bf0270 |
Subject: [PATCH] video/readers/jpeg: Block int underflow -> wild pointer write
|
|
|
bf0270 |
|
|
|
bf0270 |
Certain 1 px wide images caused a wild pointer write in
|
|
|
bf0270 |
grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(),
|
|
|
bf0270 |
we have the following loop:
|
|
|
bf0270 |
|
|
|
bf0270 |
for (; data->r1 < nr1 && (!data->dri || rst);
|
|
|
bf0270 |
data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
|
|
|
bf0270 |
|
|
|
bf0270 |
We did not check if vb * width >= hb * nc1.
|
|
|
bf0270 |
|
|
|
bf0270 |
On a 64-bit platform, if that turns out to be negative, it will underflow,
|
|
|
bf0270 |
be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so
|
|
|
bf0270 |
we see data->bitmap_ptr jump, e.g.:
|
|
|
bf0270 |
|
|
|
bf0270 |
0x6180_0000_0480 to
|
|
|
bf0270 |
0x6181_0000_0498
|
|
|
bf0270 |
^
|
|
|
bf0270 |
~--- carry has occurred and this pointer is now far away from
|
|
|
bf0270 |
any object.
|
|
|
bf0270 |
|
|
|
bf0270 |
On a 32-bit platform, it will decrement the pointer, creating a pointer
|
|
|
bf0270 |
that won't crash but will overwrite random data.
|
|
|
bf0270 |
|
|
|
bf0270 |
Catch the underflow and error out.
|
|
|
bf0270 |
|
|
|
bf0270 |
Fixes: CVE-2021-3697
|
|
|
bf0270 |
|
|
|
bf0270 |
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
|
bf0270 |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
bf0270 |
(cherry picked from commit 41aeb2004db9924fecd9f2dd64bc2a5a5594a4b5)
|
|
|
bf0270 |
(cherry picked from commit 5f9582490792108306d047379fed2371bee286f8)
|
|
|
bf0270 |
(cherry picked from commit 7e4bf25d9bb5219fbf11c523296dc3bd78b80698)
|
|
|
bf0270 |
(cherry picked from commit 397ecffe404b892470c41f4d24340526d3d33666)
|
|
|
bf0270 |
---
|
|
|
bf0270 |
grub-core/video/readers/jpeg.c | 4 ++++
|
|
|
bf0270 |
1 file changed, 4 insertions(+)
|
|
|
bf0270 |
|
|
|
bf0270 |
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
|
|
|
bf0270 |
index 1df1171d78..2da04094b3 100644
|
|
|
bf0270 |
--- a/grub-core/video/readers/jpeg.c
|
|
|
bf0270 |
+++ b/grub-core/video/readers/jpeg.c
|
|
|
bf0270 |
@@ -705,6 +705,10 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
|
|
|
bf0270 |
return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
|
|
bf0270 |
"jpeg: attempted to decode data before start of stream");
|
|
|
bf0270 |
|
|
|
bf0270 |
+ if (vb * data->image_width <= hb * nc1)
|
|
|
bf0270 |
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
|
|
bf0270 |
+ "jpeg: cannot decode image with these dimensions");
|
|
|
bf0270 |
+
|
|
|
bf0270 |
for (; data->r1 < nr1 && (!data->dri || rst);
|
|
|
bf0270 |
data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
|
|
|
bf0270 |
for (c1 = 0; c1 < nc1 && (!data->dri || rst);
|