nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0287-font-Do-not-load-more-than-one-NAME-section.patch

a4d572
From 0b3c4b90e1b928a2606f0801e6e872dd6cb85c42 Mon Sep 17 00:00:00 2001
a4d572
From: Daniel Kiper <daniel.kiper@oracle.com>
a4d572
Date: Tue, 7 Jul 2020 15:36:26 +0200
a4d572
Subject: [PATCH 287/314] font: Do not load more than one NAME section
a4d572
a4d572
The GRUB font file can have one NAME section only. Though if somebody
a4d572
crafts a broken font file with many NAME sections and loads it then the
a4d572
GRUB leaks memory. So, prevent against that by loading first NAME
a4d572
section and failing in controlled way on following one.
a4d572
a4d572
Reported-by: Chris Coulson <chris.coulson@canonical.com>
a4d572
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
a4d572
Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
a4d572
Upstream-commit-id: 482814113dc
a4d572
---
a4d572
 grub-core/font/font.c | 6 ++++++
a4d572
 1 file changed, 6 insertions(+)
a4d572
a4d572
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
a4d572
index d63354fb51b..a7b955a1a74 100644
a4d572
--- a/grub-core/font/font.c
a4d572
+++ b/grub-core/font/font.c
a4d572
@@ -532,6 +532,12 @@ grub_font_load (const char *filename)
a4d572
       if (grub_memcmp (section.name, FONT_FORMAT_SECTION_NAMES_FONT_NAME,
a4d572
 		       sizeof (FONT_FORMAT_SECTION_NAMES_FONT_NAME) - 1) == 0)
a4d572
 	{
a4d572
+	  if (font->name != NULL)
a4d572
+	    {
a4d572
+	      grub_error (GRUB_ERR_BAD_FONT, "invalid font file: too many NAME sections");
a4d572
+	      goto fail;
a4d572
+	    }
a4d572
+
a4d572
 	  font->name = read_section_as_string (&section);
a4d572
 	  if (!font->name)
a4d572
 	    goto fail;
a4d572
-- 
a4d572
2.26.2
a4d572