nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone
Blob Blame History Raw
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Tue, 6 Jul 2021 23:25:07 +1000
Subject: [PATCH] video/readers/png: Avoid heap OOB R/W inserting huff table
 items

In fuzzing we observed crashes where a code would attempt to be inserted
into a huffman table before the start, leading to a set of heap OOB reads
and writes as table entries with negative indices were shifted around and
the new code written in.

Catch the case where we would underflow the array and bail.

Fixes: CVE-2021-3696

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
(cherry picked from commit 1ae9a91d42cb40da8a6f11fac65541858e340afa)
(cherry picked from commit 132ccc681cf642ad748580f26b54c9259a7f43fd)
(cherry picked from commit 3a70e1f6e69af6e0d3c3cf526faa44dc0c80ac19)
(cherry picked from commit 9990cee64b053a1593cf9883d73b630405519be2)
---
 grub-core/video/readers/png.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
index dcfdaa8596..24e972d1ba 100644
--- a/grub-core/video/readers/png.c
+++ b/grub-core/video/readers/png.c
@@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len)
   for (i = len; i < ht->max_length; i++)
     n += ht->maxval[i];
 
+  if (n > ht->num_values)
+    {
+      grub_error (GRUB_ERR_BAD_FILE_TYPE,
+		  "png: out of range inserting huffman table item");
+      return;
+    }
+
   for (i = 0; i < n; i++)
     ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];