From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001

From: Daniel Axtens <dja@axtens.net>

Date: Wed, 7 Jul 2021 15:38:19 +1000

Subject: [PATCH] video/readers/jpeg: Block int underflow -> wild pointer write

Certain 1 px wide images caused a wild pointer write in

grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(),

we have the following loop:

for (; data->r1 < nr1 && (!data->dri || rst);

     data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)

We did not check if vb * width >= hb * nc1.

On a 64-bit platform, if that turns out to be negative, it will underflow,

be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so

we see data->bitmap_ptr jump, e.g.:

0x6180_0000_0480 to

0x6181_0000_0498

     ^

     ~--- carry has occurred and this pointer is now far away from

          any object.

On a 32-bit platform, it will decrement the pointer, creating a pointer

that won't crash but will overwrite random data.

Catch the underflow and error out.

Fixes: CVE-2021-3697

Signed-off-by: Daniel Axtens <dja@axtens.net>

Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

(cherry picked from commit 41aeb2004db9924fecd9f2dd64bc2a5a5594a4b5)

---

 grub-core/video/readers/jpeg.c | 4 ++++

 1 file changed, 4 insertions(+)

diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c

index 1df1171d78..2da04094b3 100644

--- a/grub-core/video/readers/jpeg.c

+++ b/grub-core/video/readers/jpeg.c

@@ -705,6 +705,10 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)

     return grub_error (GRUB_ERR_BAD_FILE_TYPE,

 		       "jpeg: attempted to decode data before start of stream");

+  if (vb * data->image_width <= hb * nc1)

+    return grub_error (GRUB_ERR_BAD_FILE_TYPE,

+		       "jpeg: cannot decode image with these dimensions");

+

   for (; data->r1 < nr1 && (!data->dri || rst);

        data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)

     for (c1 = 0;  c1 < nc1 && (!data->dri || rst);