nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0521-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch

0ccc47
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
0ccc47
From: Daniel Axtens <dja@axtens.net>
0ccc47
Date: Mon, 28 Jun 2021 14:25:17 +1000
0ccc47
Subject: [PATCH] video/readers/jpeg: Refuse to handle multiple start of
0ccc47
 streams
0ccc47
0ccc47
An invalid file could contain multiple start of stream blocks, which
0ccc47
would cause us to reallocate and leak our bitmap. Refuse to handle
0ccc47
multiple start of streams.
0ccc47
0ccc47
Additionally, fix a grub_error() call formatting.
0ccc47
0ccc47
Signed-off-by: Daniel Axtens <dja@axtens.net>
0ccc47
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
0ccc47
(cherry picked from commit f3a854def3e281b7ad4bbea730cd3046de1da52f)
0ccc47
(cherry picked from commit db0154828989a0a52ee59a4dda8c3803752bc827)
0ccc47
(cherry picked from commit 75afb375ef46bc99a7faf5879d0283934e34db97)
0ccc47
---
0ccc47
 grub-core/video/readers/jpeg.c | 7 +++++--
0ccc47
 1 file changed, 5 insertions(+), 2 deletions(-)
0ccc47
0ccc47
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
0ccc47
index caa211f06d..1df1171d78 100644
0ccc47
--- a/grub-core/video/readers/jpeg.c
0ccc47
+++ b/grub-core/video/readers/jpeg.c
0ccc47
@@ -677,6 +677,9 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
0ccc47
   if (data->file->offset != data_offset)
0ccc47
     return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: extra byte in sos");
0ccc47
 
0ccc47
+  if (*data->bitmap)
0ccc47
+    return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: too many start of scan blocks");
0ccc47
+
0ccc47
   if (grub_video_bitmap_create (data->bitmap, data->image_width,
0ccc47
 				data->image_height,
0ccc47
 				GRUB_VIDEO_BLIT_FORMAT_RGB_888))
0ccc47
@@ -699,8 +702,8 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
0ccc47
   nc1 = (data->image_width + hb - 1)  >> (3 + data->log_hs);
0ccc47
 
0ccc47
   if (data->bitmap_ptr == NULL)
0ccc47
-    return grub_error(GRUB_ERR_BAD_FILE_TYPE,
0ccc47
-		      "jpeg: attempted to decode data before start of stream");
0ccc47
+    return grub_error (GRUB_ERR_BAD_FILE_TYPE,
0ccc47
+		       "jpeg: attempted to decode data before start of stream");
0ccc47
 
0ccc47
   for (; data->r1 < nr1 && (!data->dri || rst);
0ccc47
        data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)