|
 |
1c6ba0 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
1c6ba0 |
From: Daniel Axtens <dja@axtens.net>
|
|
|
1c6ba0 |
Date: Tue, 6 Jul 2021 23:25:07 +1000
|
|
|
1c6ba0 |
Subject: [PATCH] video/readers/png: Avoid heap OOB R/W inserting huff table
|
|
|
1c6ba0 |
items
|
|
|
1c6ba0 |
|
|
|
1c6ba0 |
In fuzzing we observed crashes where a code would attempt to be inserted
|
|
|
1c6ba0 |
into a huffman table before the start, leading to a set of heap OOB reads
|
|
|
1c6ba0 |
and writes as table entries with negative indices were shifted around and
|
|
|
1c6ba0 |
the new code written in.
|
|
|
1c6ba0 |
|
|
|
1c6ba0 |
Catch the case where we would underflow the array and bail.
|
|
|
1c6ba0 |
|
|
|
1c6ba0 |
Fixes: CVE-2021-3696
|
|
|
1c6ba0 |
|
|
|
1c6ba0 |
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
|
1c6ba0 |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
1c6ba0 |
(cherry picked from commit 1ae9a91d42cb40da8a6f11fac65541858e340afa)
|
|
|
1c6ba0 |
---
|
|
|
1c6ba0 |
grub-core/video/readers/png.c | 7 +++++++
|
|
|
1c6ba0 |
1 file changed, 7 insertions(+)
|
|
|
1c6ba0 |
|
|
|
1c6ba0 |
diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
|
|
|
1c6ba0 |
index a3161e25b6..d7ed5aa6cf 100644
|
|
|
1c6ba0 |
--- a/grub-core/video/readers/png.c
|
|
|
1c6ba0 |
+++ b/grub-core/video/readers/png.c
|
|
|
1c6ba0 |
@@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len)
|
|
|
1c6ba0 |
for (i = len; i < ht->max_length; i++)
|
|
|
1c6ba0 |
n += ht->maxval[i];
|
|
|
1c6ba0 |
|
|
|
1c6ba0 |
+ if (n > ht->num_values)
|
|
|
1c6ba0 |
+ {
|
|
|
1c6ba0 |
+ grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
|
|
1c6ba0 |
+ "png: out of range inserting huffman table item");
|
|
|
1c6ba0 |
+ return;
|
|
|
1c6ba0 |
+ }
|
|
|
1c6ba0 |
+
|
|
|
1c6ba0 |
for (i = 0; i < n; i++)
|
|
|
1c6ba0 |
ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];
|
|
|
1c6ba0 |
|