nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0434-video-readers-jpeg-Catch-files-with-unsupported-quan.patch

468bd4
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
468bd4
From: Daniel Axtens <dja@axtens.net>
468bd4
Date: Fri, 15 Jan 2021 12:57:04 +1100
468bd4
Subject: [PATCH] video/readers/jpeg: Catch files with unsupported quantization
468bd4
 or Huffman tables
468bd4
468bd4
Our decoder only supports 2 quantization tables. If a file asks for
468bd4
a quantization table with index > 1, reject it.
468bd4
468bd4
Similarly, our decoder only supports 4 Huffman tables. If a file asks
468bd4
for a Huffman table with index > 3, reject it.
468bd4
468bd4
This fixes some out of bounds reads. It's not clear what degree of control
468bd4
over subsequent execution could be gained by someone who can carefully
468bd4
set up the contents of memory before loading an invalid JPEG file.
468bd4
468bd4
Signed-off-by: Daniel Axtens <dja@axtens.net>
468bd4
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
468bd4
---
468bd4
 grub-core/video/readers/jpeg.c | 8 ++++++++
468bd4
 1 file changed, 8 insertions(+)
468bd4
468bd4
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
030dc3
index 0b6ce3cee64..23f919aa070 100644
468bd4
--- a/grub-core/video/readers/jpeg.c
468bd4
+++ b/grub-core/video/readers/jpeg.c
468bd4
@@ -333,7 +333,11 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
468bd4
       else if (ss != JPEG_SAMPLING_1x1)
468bd4
 	return grub_error (GRUB_ERR_BAD_FILE_TYPE,
468bd4
 			   "jpeg: sampling method not supported");
468bd4
+
468bd4
       data->comp_index[id][0] = grub_jpeg_get_byte (data);
468bd4
+      if (data->comp_index[id][0] > 1)
468bd4
+	return grub_error (GRUB_ERR_BAD_FILE_TYPE,
468bd4
+			   "jpeg: too many quantization tables");
468bd4
     }
468bd4
 
468bd4
   if (data->file->offset != next_marker)
468bd4
@@ -602,6 +606,10 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
468bd4
       ht = grub_jpeg_get_byte (data);
468bd4
       data->comp_index[id][1] = (ht >> 4);
468bd4
       data->comp_index[id][2] = (ht & 0xF) + 2;
468bd4
+
468bd4
+      if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) ||
468bd4
+	  (data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3))
468bd4
+	return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index");
468bd4
     }
468bd4
 
468bd4
   grub_jpeg_get_byte (data);	/* Skip 3 unused bytes.  */