From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001

From: Daniel Axtens <dja@axtens.net>

Date: Fri, 15 Jan 2021 13:29:53 +1100

Subject: [PATCH] video/readers/jpeg: Catch OOB reads/writes in

 grub_jpeg_decode_du()

The key line is:

  du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];

jpeg_zigzag_order is grub_uint8_t[64].

I don't understand JPEG decoders quite well enough to explain what's

going on here. However, I observe sometimes pos=64, which leads to an

OOB read of the jpeg_zigzag_order global then an OOB write to du.

That leads to various unpleasant memory corruption conditions.

Catch where pos >= ARRAY_SIZE(jpeg_zigzag_order) and bail.

Signed-off-by: Daniel Axtens <dja@axtens.net>

Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

---

 grub-core/video/readers/jpeg.c | 8 ++++++++

 1 file changed, 8 insertions(+)

diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c

index 23f919aa0..e5148120f 100644

--- a/grub-core/video/readers/jpeg.c

+++ b/grub-core/video/readers/jpeg.c

@@ -526,6 +526,14 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)

       val = grub_jpeg_get_number (data, num & 0xF);

       num >>= 4;

       pos += num;

+

+      if (pos >= ARRAY_SIZE (jpeg_zigzag_order))

+	{

+	  grub_error (GRUB_ERR_BAD_FILE_TYPE,

+		      "jpeg: invalid position in zigzag order!?");

+	  return;

+	}

+

       du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];

       pos++;

     }