nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0517-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch

b9d01e
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b9d01e
From: Daniel Axtens <dja@axtens.net>
b9d01e
Date: Tue, 6 Jul 2021 23:25:07 +1000
b9d01e
Subject: [PATCH] video/readers/png: Avoid heap OOB R/W inserting huff table
b9d01e
 items
b9d01e
b9d01e
In fuzzing we observed crashes where a code would attempt to be inserted
b9d01e
into a huffman table before the start, leading to a set of heap OOB reads
b9d01e
and writes as table entries with negative indices were shifted around and
b9d01e
the new code written in.
b9d01e
b9d01e
Catch the case where we would underflow the array and bail.
b9d01e
b9d01e
Fixes: CVE-2021-3696
b9d01e
b9d01e
Signed-off-by: Daniel Axtens <dja@axtens.net>
b9d01e
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
b9d01e
(cherry picked from commit 1ae9a91d42cb40da8a6f11fac65541858e340afa)
b9d01e
(cherry picked from commit 132ccc681cf642ad748580f26b54c9259a7f43fd)
b9d01e
(cherry picked from commit 3a70e1f6e69af6e0d3c3cf526faa44dc0c80ac19)
b9d01e
---
b9d01e
 grub-core/video/readers/png.c | 7 +++++++
b9d01e
 1 file changed, 7 insertions(+)
b9d01e
b9d01e
diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
b9d01e
index a3161e25b6..d7ed5aa6cf 100644
b9d01e
--- a/grub-core/video/readers/png.c
b9d01e
+++ b/grub-core/video/readers/png.c
b9d01e
@@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len)
b9d01e
   for (i = len; i < ht->max_length; i++)
b9d01e
     n += ht->maxval[i];
b9d01e
 
b9d01e
+  if (n > ht->num_values)
b9d01e
+    {
b9d01e
+      grub_error (GRUB_ERR_BAD_FILE_TYPE,
b9d01e
+		  "png: out of range inserting huffman table item");
b9d01e
+      return;
b9d01e
+    }
b9d01e
+
b9d01e
   for (i = 0; i < n; i++)
b9d01e
     ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];
b9d01e