nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0517-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch

0ccc47
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
0ccc47
From: Daniel Axtens <dja@axtens.net>
0ccc47
Date: Tue, 6 Jul 2021 23:25:07 +1000
0ccc47
Subject: [PATCH] video/readers/png: Avoid heap OOB R/W inserting huff table
0ccc47
 items
0ccc47
0ccc47
In fuzzing we observed crashes where a code would attempt to be inserted
0ccc47
into a huffman table before the start, leading to a set of heap OOB reads
0ccc47
and writes as table entries with negative indices were shifted around and
0ccc47
the new code written in.
0ccc47
0ccc47
Catch the case where we would underflow the array and bail.
0ccc47
0ccc47
Fixes: CVE-2021-3696
0ccc47
0ccc47
Signed-off-by: Daniel Axtens <dja@axtens.net>
0ccc47
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
0ccc47
(cherry picked from commit 1ae9a91d42cb40da8a6f11fac65541858e340afa)
0ccc47
(cherry picked from commit 132ccc681cf642ad748580f26b54c9259a7f43fd)
0ccc47
(cherry picked from commit 3a70e1f6e69af6e0d3c3cf526faa44dc0c80ac19)
0ccc47
---
0ccc47
 grub-core/video/readers/png.c | 7 +++++++
0ccc47
 1 file changed, 7 insertions(+)
0ccc47
0ccc47
diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
0ccc47
index a3161e25b6..d7ed5aa6cf 100644
0ccc47
--- a/grub-core/video/readers/png.c
0ccc47
+++ b/grub-core/video/readers/png.c
0ccc47
@@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len)
0ccc47
   for (i = len; i < ht->max_length; i++)
0ccc47
     n += ht->maxval[i];
0ccc47
 
0ccc47
+  if (n > ht->num_values)
0ccc47
+    {
0ccc47
+      grub_error (GRUB_ERR_BAD_FILE_TYPE,
0ccc47
+		  "png: out of range inserting huffman table item");
0ccc47
+      return;
0ccc47
+    }
0ccc47
+
0ccc47
   for (i = 0; i < n; i++)
0ccc47
     ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];
0ccc47