|
|
80913e |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
80913e |
From: Daniel Axtens <dja@axtens.net>
|
|
|
80913e |
Date: Fri, 15 Jan 2021 12:57:04 +1100
|
|
|
80913e |
Subject: [PATCH] video/readers/jpeg: Catch files with unsupported quantization
|
|
|
80913e |
or Huffman tables
|
|
|
80913e |
|
|
|
80913e |
Our decoder only supports 2 quantization tables. If a file asks for
|
|
|
80913e |
a quantization table with index > 1, reject it.
|
|
|
80913e |
|
|
|
80913e |
Similarly, our decoder only supports 4 Huffman tables. If a file asks
|
|
|
80913e |
for a Huffman table with index > 3, reject it.
|
|
|
80913e |
|
|
|
80913e |
This fixes some out of bounds reads. It's not clear what degree of control
|
|
|
80913e |
over subsequent execution could be gained by someone who can carefully
|
|
|
80913e |
set up the contents of memory before loading an invalid JPEG file.
|
|
|
80913e |
|
|
|
80913e |
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
|
80913e |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
80913e |
---
|
|
|
80913e |
grub-core/video/readers/jpeg.c | 8 ++++++++
|
|
|
80913e |
1 file changed, 8 insertions(+)
|
|
|
80913e |
|
|
|
80913e |
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
|
|
|
80913e |
index 0b6ce3cee64..23f919aa070 100644
|
|
|
80913e |
--- a/grub-core/video/readers/jpeg.c
|
|
|
80913e |
+++ b/grub-core/video/readers/jpeg.c
|
|
|
80913e |
@@ -333,7 +333,11 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
|
|
|
80913e |
else if (ss != JPEG_SAMPLING_1x1)
|
|
|
80913e |
return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
|
|
80913e |
"jpeg: sampling method not supported");
|
|
|
80913e |
+
|
|
|
80913e |
data->comp_index[id][0] = grub_jpeg_get_byte (data);
|
|
|
80913e |
+ if (data->comp_index[id][0] > 1)
|
|
|
80913e |
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
|
|
80913e |
+ "jpeg: too many quantization tables");
|
|
|
80913e |
}
|
|
|
80913e |
|
|
|
80913e |
if (data->file->offset != next_marker)
|
|
|
80913e |
@@ -602,6 +606,10 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
|
|
|
80913e |
ht = grub_jpeg_get_byte (data);
|
|
|
80913e |
data->comp_index[id][1] = (ht >> 4);
|
|
|
80913e |
data->comp_index[id][2] = (ht & 0xF) + 2;
|
|
|
80913e |
+
|
|
|
80913e |
+ if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) ||
|
|
|
80913e |
+ (data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3))
|
|
|
80913e |
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index");
|
|
|
80913e |
}
|
|
|
80913e |
|
|
|
80913e |
grub_jpeg_get_byte (data); /* Skip 3 unused bytes. */
|