nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0434-video-readers-jpeg-Catch-files-with-unsupported-quan.patch

80913e
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
80913e
From: Daniel Axtens <dja@axtens.net>
80913e
Date: Fri, 15 Jan 2021 12:57:04 +1100
80913e
Subject: [PATCH] video/readers/jpeg: Catch files with unsupported quantization
80913e
 or Huffman tables
80913e
80913e
Our decoder only supports 2 quantization tables. If a file asks for
80913e
a quantization table with index > 1, reject it.
80913e
80913e
Similarly, our decoder only supports 4 Huffman tables. If a file asks
80913e
for a Huffman table with index > 3, reject it.
80913e
80913e
This fixes some out of bounds reads. It's not clear what degree of control
80913e
over subsequent execution could be gained by someone who can carefully
80913e
set up the contents of memory before loading an invalid JPEG file.
80913e
80913e
Signed-off-by: Daniel Axtens <dja@axtens.net>
80913e
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
80913e
---
80913e
 grub-core/video/readers/jpeg.c | 8 ++++++++
80913e
 1 file changed, 8 insertions(+)
80913e
80913e
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
b32e65
index 0b6ce3cee..23f919aa0 100644
80913e
--- a/grub-core/video/readers/jpeg.c
80913e
+++ b/grub-core/video/readers/jpeg.c
80913e
@@ -333,7 +333,11 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
80913e
       else if (ss != JPEG_SAMPLING_1x1)
80913e
 	return grub_error (GRUB_ERR_BAD_FILE_TYPE,
80913e
 			   "jpeg: sampling method not supported");
80913e
+
80913e
       data->comp_index[id][0] = grub_jpeg_get_byte (data);
80913e
+      if (data->comp_index[id][0] > 1)
80913e
+	return grub_error (GRUB_ERR_BAD_FILE_TYPE,
80913e
+			   "jpeg: too many quantization tables");
80913e
     }
80913e
 
80913e
   if (data->file->offset != next_marker)
80913e
@@ -602,6 +606,10 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
80913e
       ht = grub_jpeg_get_byte (data);
80913e
       data->comp_index[id][1] = (ht >> 4);
80913e
       data->comp_index[id][2] = (ht & 0xF) + 2;
80913e
+
80913e
+      if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) ||
80913e
+	  (data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3))
80913e
+	return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index");
80913e
     }
80913e
 
80913e
   grub_jpeg_get_byte (data);	/* Skip 3 unused bytes.  */