nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0228-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch

b35c50
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b35c50
From: Daniel Axtens <dja@axtens.net>
b35c50
Date: Mon, 28 Jun 2021 14:25:17 +1000
b35c50
Subject: [PATCH] video/readers/jpeg: Refuse to handle multiple start of
b35c50
 streams
b35c50
b35c50
An invalid file could contain multiple start of stream blocks, which
b35c50
would cause us to reallocate and leak our bitmap. Refuse to handle
b35c50
multiple start of streams.
b35c50
b35c50
Additionally, fix a grub_error() call formatting.
b35c50
b35c50
Signed-off-by: Daniel Axtens <dja@axtens.net>
b35c50
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
b35c50
(cherry picked from commit f3a854def3e281b7ad4bbea730cd3046de1da52f)
b35c50
---
b35c50
 grub-core/video/readers/jpeg.c | 7 +++++--
b35c50
 1 file changed, 5 insertions(+), 2 deletions(-)
b35c50
b35c50
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
b35c50
index caa211f06d..1df1171d78 100644
b35c50
--- a/grub-core/video/readers/jpeg.c
b35c50
+++ b/grub-core/video/readers/jpeg.c
b35c50
@@ -677,6 +677,9 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
b35c50
   if (data->file->offset != data_offset)
b35c50
     return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: extra byte in sos");
b35c50
 
b35c50
+  if (*data->bitmap)
b35c50
+    return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: too many start of scan blocks");
b35c50
+
b35c50
   if (grub_video_bitmap_create (data->bitmap, data->image_width,
b35c50
 				data->image_height,
b35c50
 				GRUB_VIDEO_BLIT_FORMAT_RGB_888))
b35c50
@@ -699,8 +702,8 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
b35c50
   nc1 = (data->image_width + hb - 1)  >> (3 + data->log_hs);
b35c50
 
b35c50
   if (data->bitmap_ptr == NULL)
b35c50
-    return grub_error(GRUB_ERR_BAD_FILE_TYPE,
b35c50
-		      "jpeg: attempted to decode data before start of stream");
b35c50
+    return grub_error (GRUB_ERR_BAD_FILE_TYPE,
b35c50
+		       "jpeg: attempted to decode data before start of stream");
b35c50
 
b35c50
   for (; data->r1 < nr1 && (!data->dri || rst);
b35c50
        data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)