Blame SOURCES/0435-video-readers-jpeg-Catch-OOB-reads-writes-in-grub_jp.patch

468bd4
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
468bd4
From: Daniel Axtens <dja@axtens.net>
468bd4
Date: Fri, 15 Jan 2021 13:29:53 +1100
468bd4
Subject: [PATCH] video/readers/jpeg: Catch OOB reads/writes in
468bd4
 grub_jpeg_decode_du()
468bd4
468bd4
The key line is:
468bd4
468bd4
  du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];
468bd4
468bd4
jpeg_zigzag_order is grub_uint8_t[64].
468bd4
468bd4
I don't understand JPEG decoders quite well enough to explain what's
468bd4
going on here. However, I observe sometimes pos=64, which leads to an
468bd4
OOB read of the jpeg_zigzag_order global then an OOB write to du.
468bd4
That leads to various unpleasant memory corruption conditions.
468bd4
468bd4
Catch where pos >= ARRAY_SIZE(jpeg_zigzag_order) and bail.
468bd4
468bd4
Signed-off-by: Daniel Axtens <dja@axtens.net>
468bd4
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
468bd4
---
468bd4
 grub-core/video/readers/jpeg.c | 8 ++++++++
468bd4
 1 file changed, 8 insertions(+)
468bd4
468bd4
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
468bd4
index 23f919aa070..e5148120f69 100644
468bd4
--- a/grub-core/video/readers/jpeg.c
468bd4
+++ b/grub-core/video/readers/jpeg.c
468bd4
@@ -526,6 +526,14 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
468bd4
       val = grub_jpeg_get_number (data, num & 0xF);
468bd4
       num >>= 4;
468bd4
       pos += num;
468bd4
+
468bd4
+      if (pos >= ARRAY_SIZE (jpeg_zigzag_order))
468bd4
+	{
468bd4
+	  grub_error (GRUB_ERR_BAD_FILE_TYPE,
468bd4
+		      "jpeg: invalid position in zigzag order!?");
468bd4
+	  return;
468bd4
+	}
468bd4
+
468bd4
       du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];
468bd4
       pos++;
468bd4
     }