nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0224-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch

e28c09
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
e28c09
From: Daniel Axtens <dja@axtens.net>
e28c09
Date: Tue, 6 Jul 2021 23:25:07 +1000
e28c09
Subject: [PATCH] video/readers/png: Avoid heap OOB R/W inserting huff table
e28c09
 items
e28c09
e28c09
In fuzzing we observed crashes where a code would attempt to be inserted
e28c09
into a huffman table before the start, leading to a set of heap OOB reads
e28c09
and writes as table entries with negative indices were shifted around and
e28c09
the new code written in.
e28c09
e28c09
Catch the case where we would underflow the array and bail.
e28c09
e28c09
Fixes: CVE-2021-3696
e28c09
e28c09
Signed-off-by: Daniel Axtens <dja@axtens.net>
e28c09
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
e28c09
(cherry picked from commit 1ae9a91d42cb40da8a6f11fac65541858e340afa)
e28c09
---
e28c09
 grub-core/video/readers/png.c | 7 +++++++
e28c09
 1 file changed, 7 insertions(+)
e28c09
e28c09
diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
e28c09
index a3161e25b6..d7ed5aa6cf 100644
e28c09
--- a/grub-core/video/readers/png.c
e28c09
+++ b/grub-core/video/readers/png.c
e28c09
@@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len)
e28c09
   for (i = len; i < ht->max_length; i++)
e28c09
     n += ht->maxval[i];
e28c09
 
e28c09
+  if (n > ht->num_values)
e28c09
+    {
e28c09
+      grub_error (GRUB_ERR_BAD_FILE_TYPE,
e28c09
+		  "png: out of range inserting huffman table item");
e28c09
+      return;
e28c09
+    }
e28c09
+
e28c09
   for (i = 0; i < n; i++)
e28c09
     ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];
e28c09