rpms / ovmf

Clone
Source Code
GIT

Blame SOURCES/ovmf-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch

c7 c7-alt c7-beta
  1.   b1192be5fecf763d3c65691b79aa589a347522ef
  2.   SOURCES
  3.   ovmf-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch
Blob History Raw
b1192b 
From 44941e738b975e52a6494cfd9f71db5ad3f411b8 Mon Sep 17 00:00:00 2001
b1192b 
From: Laszlo Ersek <lersek@redhat.com>
b1192b 
Date: Fri, 22 Mar 2019 17:39:36 +0100
b1192b 
Subject: [PATCH 2/8] MdeModulePkg/HiiImage: Fix stack overflow when corrupted
b1192b 
 BMP is parsed (CVE-2018-12181)
b1192b 
MIME-Version: 1.0
b1192b 
Content-Type: text/plain; charset=UTF-8
b1192b 
Content-Transfer-Encoding: 8bit
b1192b
b1192b 
Message-id: <20190322163936.10835-3-lersek@redhat.com>
b1192b 
Patchwork-id: 85123
b1192b 
O-Subject:  [RHEL-7.7 ovmf PATCH 2/2] MdeModulePkg/HiiImage: Fix stack overflow
b1192b 
	when corrupted BMP is parsed (CVE-2018-12181)
b1192b 
Bugzilla: 1691479
b1192b 
Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
b1192b 
Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
b1192b
b1192b 
From: Ray Ni <ray.ni@intel.com>
b1192b
b1192b 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1135
b1192b
b1192b 
For 4bit BMP, there are only 2^4 = 16 colors in the palette.
b1192b 
But when a corrupted BMP contains more than 16 colors in the palette,
b1192b 
today's implementation wrongly copies all colors to the local
b1192b 
PaletteValue[16] array which causes stack overflow.
b1192b
b1192b 
The similar issue also exists in the logic to handle 8bit BMP.
b1192b
b1192b 
The patch fixes the issue by only copies the first 16 or 256 colors
b1192b 
in the palette depending on the BMP type.
b1192b
b1192b 
Contributed-under: TianoCore Contribution Agreement 1.1
b1192b 
Signed-off-by: Ray Ni <ray.ni@intel.com>
b1192b 
Cc: Liming Gao <liming.gao@intel.com>
b1192b 
Cc: Jiewen Yao <jiewen.yao@intel.com>
b1192b 
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
b1192b 
(cherry picked from commit 89910a39dcfd788057caa5d88b7e76e112d187b5)
b1192b 
---
b1192b 
 MdeModulePkg/Universal/HiiDatabaseDxe/Image.c | 4 ++--
b1192b 
 1 file changed, 2 insertions(+), 2 deletions(-)
b1192b
b1192b 
diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
b1192b 
index dc9566b..9829bdd 100644
b1192b 
--- a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
b1192b 
+++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
b1192b 
@@ -370,7 +370,7 @@ Output4bitPixel (
b1192b 
   PaletteNum = (UINT16)(Palette->PaletteSize / sizeof (EFI_HII_RGB_PIXEL));
b1192b
b1192b 
   ZeroMem (PaletteValue, sizeof (PaletteValue));
b1192b 
-  CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, PaletteNum);
b1192b 
+  CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, MIN (PaletteNum, ARRAY_SIZE (PaletteValue)));
b1192b 
   FreePool (Palette);
b1192b
b1192b 
   //
b1192b 
@@ -447,7 +447,7 @@ Output8bitPixel (
b1192b 
   CopyMem (Palette, PaletteInfo, PaletteSize);
b1192b 
   PaletteNum = (UINT16)(Palette->PaletteSize / sizeof (EFI_HII_RGB_PIXEL));
b1192b 
   ZeroMem (PaletteValue, sizeof (PaletteValue));
b1192b 
-  CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, PaletteNum);
b1192b 
+  CopyRgbToGopPixel (PaletteValue, Palette->PaletteValue, MIN (PaletteNum, ARRAY_SIZE (PaletteValue)));
b1192b 
   FreePool (Palette);
b1192b
b1192b 
   //
b1192b 
--
b1192b 
1.8.3.1
b1192b

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation