Blame SOURCES/0512-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch

bf0270
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
bf0270
From: Daniel Axtens <dja@axtens.net>
bf0270
Date: Tue, 6 Jul 2021 23:25:07 +1000
bf0270
Subject: [PATCH] video/readers/png: Avoid heap OOB R/W inserting huff table
bf0270
 items
bf0270
bf0270
In fuzzing we observed crashes where a code would attempt to be inserted
bf0270
into a huffman table before the start, leading to a set of heap OOB reads
bf0270
and writes as table entries with negative indices were shifted around and
bf0270
the new code written in.
bf0270
bf0270
Catch the case where we would underflow the array and bail.
bf0270
bf0270
Fixes: CVE-2021-3696
bf0270
bf0270
Signed-off-by: Daniel Axtens <dja@axtens.net>
bf0270
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
bf0270
(cherry picked from commit 1ae9a91d42cb40da8a6f11fac65541858e340afa)
bf0270
(cherry picked from commit 132ccc681cf642ad748580f26b54c9259a7f43fd)
bf0270
(cherry picked from commit 3a70e1f6e69af6e0d3c3cf526faa44dc0c80ac19)
bf0270
(cherry picked from commit 809d25ffa6b89d390a66d2f3cf3090196f07e2aa)
bf0270
---
bf0270
 grub-core/video/readers/png.c | 7 +++++++
bf0270
 1 file changed, 7 insertions(+)
bf0270
bf0270
diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
bf0270
index a3161e25b6..d7ed5aa6cf 100644
bf0270
--- a/grub-core/video/readers/png.c
bf0270
+++ b/grub-core/video/readers/png.c
bf0270
@@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len)
bf0270
   for (i = len; i < ht->max_length; i++)
bf0270
     n += ht->maxval[i];
bf0270
 
bf0270
+  if (n > ht->num_values)
bf0270
+    {
bf0270
+      grub_error (GRUB_ERR_BAD_FILE_TYPE,
bf0270
+		  "png: out of range inserting huffman table item");
bf0270
+      return;
bf0270
+    }
bf0270
+
bf0270
   for (i = 0; i < n; i++)
bf0270
     ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];
bf0270