nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0519-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch

b9d01e
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b9d01e
From: Daniel Axtens <dja@axtens.net>
b9d01e
Date: Mon, 28 Jun 2021 14:16:14 +1000
b9d01e
Subject: [PATCH] video/readers/jpeg: Abort sooner if a read operation fails
b9d01e
b9d01e
Fuzzing revealed some inputs that were taking a long time, potentially
b9d01e
forever, because they did not bail quickly upon encountering an I/O error.
b9d01e
b9d01e
Try to catch I/O errors sooner and bail out.
b9d01e
b9d01e
Signed-off-by: Daniel Axtens <dja@axtens.net>
b9d01e
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
b9d01e
(cherry picked from commit ab2e5d2e4bff488bbb557ed435a61ae102ef9f0c)
b9d01e
(cherry picked from commit 1ff8df0d2dea8ec7c8575241d5e7d6622c204ec3)
b9d01e
(cherry picked from commit b07767383b74a0ce7135c09ba8701510d4ad32f0)
b9d01e
---
b9d01e
 grub-core/video/readers/jpeg.c | 86 ++++++++++++++++++++++++++++++++++--------
b9d01e
 1 file changed, 70 insertions(+), 16 deletions(-)
b9d01e
b9d01e
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
b9d01e
index e31602f766..10225abd53 100644
b9d01e
--- a/grub-core/video/readers/jpeg.c
b9d01e
+++ b/grub-core/video/readers/jpeg.c
b9d01e
@@ -109,9 +109,17 @@ static grub_uint8_t
b9d01e
 grub_jpeg_get_byte (struct grub_jpeg_data *data)
b9d01e
 {
b9d01e
   grub_uint8_t r;
b9d01e
+  grub_ssize_t bytes_read;
b9d01e
 
b9d01e
   r = 0;
b9d01e
-  grub_file_read (data->file, &r, 1);
b9d01e
+  bytes_read = grub_file_read (data->file, &r, 1);
b9d01e
+
b9d01e
+  if (bytes_read != 1)
b9d01e
+    {
b9d01e
+      grub_error (GRUB_ERR_BAD_FILE_TYPE,
b9d01e
+		  "jpeg: unexpected end of data");
b9d01e
+      return 0;
b9d01e
+    }
b9d01e
 
b9d01e
   return r;
b9d01e
 }
b9d01e
@@ -120,9 +128,17 @@ static grub_uint16_t
b9d01e
 grub_jpeg_get_word (struct grub_jpeg_data *data)
b9d01e
 {
b9d01e
   grub_uint16_t r;
b9d01e
+  grub_ssize_t bytes_read;
b9d01e
 
b9d01e
   r = 0;
b9d01e
-  grub_file_read (data->file, &r, sizeof (grub_uint16_t));
b9d01e
+  bytes_read = grub_file_read (data->file, &r, sizeof (grub_uint16_t));
b9d01e
+
b9d01e
+  if (bytes_read != sizeof (grub_uint16_t))
b9d01e
+    {
b9d01e
+      grub_error (GRUB_ERR_BAD_FILE_TYPE,
b9d01e
+		  "jpeg: unexpected end of data");
b9d01e
+      return 0;
b9d01e
+    }
b9d01e
 
b9d01e
   return grub_be_to_cpu16 (r);
b9d01e
 }
b9d01e
@@ -135,6 +151,11 @@ grub_jpeg_get_bit (struct grub_jpeg_data *data)
b9d01e
   if (data->bit_mask == 0)
b9d01e
     {
b9d01e
       data->bit_save = grub_jpeg_get_byte (data);
b9d01e
+      if (grub_errno != GRUB_ERR_NONE) {
b9d01e
+	grub_error (GRUB_ERR_BAD_FILE_TYPE,
b9d01e
+		    "jpeg: file read error");
b9d01e
+	return 0;
b9d01e
+      }
b9d01e
       if (data->bit_save == JPEG_ESC_CHAR)
b9d01e
 	{
b9d01e
 	  if (grub_jpeg_get_byte (data) != 0)
b9d01e
@@ -143,6 +164,11 @@ grub_jpeg_get_bit (struct grub_jpeg_data *data)
b9d01e
 			  "jpeg: invalid 0xFF in data stream");
b9d01e
 	      return 0;
b9d01e
 	    }
b9d01e
+	  if (grub_errno != GRUB_ERR_NONE)
b9d01e
+	    {
b9d01e
+	      grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: file read error");
b9d01e
+	      return 0;
b9d01e
+	    }
b9d01e
 	}
b9d01e
       data->bit_mask = 0x80;
b9d01e
     }
b9d01e
@@ -161,7 +187,7 @@ grub_jpeg_get_number (struct grub_jpeg_data *data, int num)
b9d01e
     return 0;
b9d01e
 
b9d01e
   msb = value = grub_jpeg_get_bit (data);
b9d01e
-  for (i = 1; i < num; i++)
b9d01e
+  for (i = 1; i < num && grub_errno == GRUB_ERR_NONE; i++)
b9d01e
     value = (value << 1) + (grub_jpeg_get_bit (data) != 0);
b9d01e
   if (!msb)
b9d01e
     value += 1 - (1 << num);
b9d01e
@@ -202,6 +228,8 @@ grub_jpeg_decode_huff_table (struct grub_jpeg_data *data)
b9d01e
   while (data->file->offset + sizeof (count) + 1 <= next_marker)
b9d01e
     {
b9d01e
       id = grub_jpeg_get_byte (data);
b9d01e
+      if (grub_errno != GRUB_ERR_NONE)
b9d01e
+	return grub_errno;
b9d01e
       ac = (id >> 4) & 1;
b9d01e
       id &= 0xF;
b9d01e
       if (id > 1)
b9d01e
@@ -252,6 +280,8 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data)
b9d01e
 
b9d01e
   next_marker = data->file->offset;
b9d01e
   next_marker += grub_jpeg_get_word (data);
b9d01e
+  if (grub_errno != GRUB_ERR_NONE)
b9d01e
+    return grub_errno;
b9d01e
 
b9d01e
   if (next_marker > data->file->size)
b9d01e
     {
b9d01e
@@ -263,6 +293,8 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data)
b9d01e
 	 <= next_marker)
b9d01e
     {
b9d01e
       id = grub_jpeg_get_byte (data);
b9d01e
+      if (grub_errno != GRUB_ERR_NONE)
b9d01e
+        return grub_errno;
b9d01e
       if (id >= 0x10)		/* Upper 4-bit is precision.  */
b9d01e
 	return grub_error (GRUB_ERR_BAD_FILE_TYPE,
b9d01e
 			   "jpeg: only 8-bit precision is supported");
b9d01e
@@ -294,6 +326,9 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
b9d01e
   next_marker = data->file->offset;
b9d01e
   next_marker += grub_jpeg_get_word (data);
b9d01e
 
b9d01e
+  if (grub_errno != GRUB_ERR_NONE)
b9d01e
+    return grub_errno;
b9d01e
+
b9d01e
   if (grub_jpeg_get_byte (data) != 8)
b9d01e
     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
b9d01e
 		       "jpeg: only 8-bit precision is supported");
b9d01e
@@ -319,6 +354,8 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
b9d01e
 	return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid index");
b9d01e
 
b9d01e
       ss = grub_jpeg_get_byte (data);	/* Sampling factor.  */
b9d01e
+      if (grub_errno != GRUB_ERR_NONE)
b9d01e
+	return grub_errno;
b9d01e
       if (!id)
b9d01e
 	{
b9d01e
 	  grub_uint8_t vs, hs;
b9d01e
@@ -498,7 +535,7 @@ grub_jpeg_idct_transform (jpeg_data_unit_t du)
b9d01e
     }
b9d01e
 }
b9d01e
 
b9d01e
-static void
b9d01e
+static grub_err_t
b9d01e
 grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
b9d01e
 {
b9d01e
   int h1, h2, qt;
b9d01e
@@ -513,6 +550,9 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
b9d01e
   data->dc_value[id] +=
b9d01e
     grub_jpeg_get_number (data, grub_jpeg_get_huff_code (data, h1));
b9d01e
 
b9d01e
+  if (grub_errno != GRUB_ERR_NONE)
b9d01e
+    return grub_errno;
b9d01e
+
b9d01e
   du[0] = data->dc_value[id] * (int) data->quan_table[qt][0];
b9d01e
   pos = 1;
b9d01e
   while (pos < ARRAY_SIZE (data->quan_table[qt]))
b9d01e
@@ -527,11 +567,13 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
b9d01e
       num >>= 4;
b9d01e
       pos += num;
b9d01e
 
b9d01e
+      if (grub_errno != GRUB_ERR_NONE)
b9d01e
+        return grub_errno;
b9d01e
+
b9d01e
       if (pos >= ARRAY_SIZE (jpeg_zigzag_order))
b9d01e
 	{
b9d01e
-	  grub_error (GRUB_ERR_BAD_FILE_TYPE,
b9d01e
-		      "jpeg: invalid position in zigzag order!?");
b9d01e
-	  return;
b9d01e
+	  return grub_error (GRUB_ERR_BAD_FILE_TYPE,
b9d01e
+			     "jpeg: invalid position in zigzag order!?");
b9d01e
 	}
b9d01e
 
b9d01e
       du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];
b9d01e
@@ -539,6 +581,7 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
b9d01e
     }
b9d01e
 
b9d01e
   grub_jpeg_idct_transform (du);
b9d01e
+  return GRUB_ERR_NONE;
b9d01e
 }
b9d01e
 
b9d01e
 static void
b9d01e
@@ -597,7 +640,8 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
b9d01e
   data_offset += grub_jpeg_get_word (data);
b9d01e
 
b9d01e
   cc = grub_jpeg_get_byte (data);
b9d01e
-
b9d01e
+  if (grub_errno != GRUB_ERR_NONE)
b9d01e
+    return grub_errno;
b9d01e
   if (cc != 3 && cc != 1)
b9d01e
     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
b9d01e
 		       "jpeg: component count must be 1 or 3");
b9d01e
@@ -610,7 +654,8 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
b9d01e
       id = grub_jpeg_get_byte (data) - 1;
b9d01e
       if ((id < 0) || (id >= 3))
b9d01e
 	return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid index");
b9d01e
-
b9d01e
+      if (grub_errno != GRUB_ERR_NONE)
b9d01e
+	return grub_errno;
b9d01e
       ht = grub_jpeg_get_byte (data);
b9d01e
       data->comp_index[id][1] = (ht >> 4);
b9d01e
       data->comp_index[id][2] = (ht & 0xF) + 2;
b9d01e
@@ -618,11 +663,14 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
b9d01e
       if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) ||
b9d01e
 	  (data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3))
b9d01e
 	return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index");
b9d01e
+      if (grub_errno != GRUB_ERR_NONE)
b9d01e
+	return grub_errno;
b9d01e
     }
b9d01e
 
b9d01e
   grub_jpeg_get_byte (data);	/* Skip 3 unused bytes.  */
b9d01e
   grub_jpeg_get_word (data);
b9d01e
-
b9d01e
+  if (grub_errno != GRUB_ERR_NONE)
b9d01e
+    return grub_errno;
b9d01e
   if (data->file->offset != data_offset)
b9d01e
     return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: extra byte in sos");
b9d01e
 
b9d01e
@@ -640,6 +688,7 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
b9d01e
 {
b9d01e
   unsigned c1, vb, hb, nr1, nc1;
b9d01e
   int rst = data->dri;
b9d01e
+  grub_err_t err = GRUB_ERR_NONE;
b9d01e
 
b9d01e
   vb = 8 << data->log_vs;
b9d01e
   hb = 8 << data->log_hs;
b9d01e
@@ -660,17 +709,22 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
b9d01e
 
b9d01e
 	for (r2 = 0; r2 < (1U << data->log_vs); r2++)
b9d01e
 	  for (c2 = 0; c2 < (1U << data->log_hs); c2++)
b9d01e
-	    grub_jpeg_decode_du (data, 0, data->ydu[r2 * 2 + c2]);
b9d01e
+            {
b9d01e
+              err = grub_jpeg_decode_du (data, 0, data->ydu[r2 * 2 + c2]);
b9d01e
+              if (err != GRUB_ERR_NONE)
b9d01e
+                return err;
b9d01e
+            }
b9d01e
 
b9d01e
 	if (data->color_components >= 3)
b9d01e
 	  {
b9d01e
-	    grub_jpeg_decode_du (data, 1, data->cbdu);
b9d01e
-	    grub_jpeg_decode_du (data, 2, data->crdu);
b9d01e
+	    err = grub_jpeg_decode_du (data, 1, data->cbdu);
b9d01e
+	    if (err != GRUB_ERR_NONE)
b9d01e
+	      return err;
b9d01e
+	    err = grub_jpeg_decode_du (data, 2, data->crdu);
b9d01e
+	    if (err != GRUB_ERR_NONE)
b9d01e
+	      return err;
b9d01e
 	  }
b9d01e
 
b9d01e
-	if (grub_errno)
b9d01e
-	  return grub_errno;
b9d01e
-
b9d01e
 	nr2 = (data->r1 == nr1 - 1) ? (data->image_height - data->r1 * vb) : vb;
b9d01e
 	nc2 = (c1 == nc1 - 1) ? (data->image_width - c1 * hb) : hb;
b9d01e