nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0396-video-readers-jpeg-Catch-files-with-unsupported-quan.patch

b1bcb2
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b1bcb2
From: Daniel Axtens <dja@axtens.net>
b1bcb2
Date: Fri, 15 Jan 2021 12:57:04 +1100
b1bcb2
Subject: [PATCH] video/readers/jpeg: Catch files with unsupported quantization
b1bcb2
 or Huffman tables
b1bcb2
b1bcb2
Our decoder only supports 2 quantization tables. If a file asks for
b1bcb2
a quantization table with index > 1, reject it.
b1bcb2
b1bcb2
Similarly, our decoder only supports 4 Huffman tables. If a file asks
b1bcb2
for a Huffman table with index > 3, reject it.
b1bcb2
b1bcb2
This fixes some out of bounds reads. It's not clear what degree of control
b1bcb2
over subsequent execution could be gained by someone who can carefully
b1bcb2
set up the contents of memory before loading an invalid JPEG file.
b1bcb2
b1bcb2
Signed-off-by: Daniel Axtens <dja@axtens.net>
b1bcb2
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
b1bcb2
---
b1bcb2
 grub-core/video/readers/jpeg.c | 8 ++++++++
b1bcb2
 1 file changed, 8 insertions(+)
b1bcb2
b1bcb2
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
b1bcb2
index ed6d9bfd160..5d3fa4de37d 100644
b1bcb2
--- a/grub-core/video/readers/jpeg.c
b1bcb2
+++ b/grub-core/video/readers/jpeg.c
b1bcb2
@@ -330,7 +330,11 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
b1bcb2
       else if (ss != JPEG_SAMPLING_1x1)
b1bcb2
 	return grub_error (GRUB_ERR_BAD_FILE_TYPE,
b1bcb2
 			   "jpeg: sampling method not supported");
b1bcb2
+
b1bcb2
       data->comp_index[id][0] = grub_jpeg_get_byte (data);
b1bcb2
+      if (data->comp_index[id][0] > 1)
b1bcb2
+	return grub_error (GRUB_ERR_BAD_FILE_TYPE,
b1bcb2
+			   "jpeg: too many quantization tables");
b1bcb2
     }
b1bcb2
 
b1bcb2
   if (data->file->offset != next_marker)
b1bcb2
@@ -599,6 +603,10 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
b1bcb2
       ht = grub_jpeg_get_byte (data);
b1bcb2
       data->comp_index[id][1] = (ht >> 4);
b1bcb2
       data->comp_index[id][2] = (ht & 0xF) + 2;
b1bcb2
+
b1bcb2
+      if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) ||
b1bcb2
+	  (data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3))
b1bcb2
+	return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index");
b1bcb2
     }
b1bcb2
 
b1bcb2
   grub_jpeg_get_byte (data);	/* Skip 3 unused bytes.  */