Blame SOURCES/0250-normal-charset-Fix-array-out-of-bounds-formatting-un.patch

e28c09
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
e28c09
From: Daniel Axtens <dja@axtens.net>
e28c09
Date: Tue, 13 Jul 2021 13:24:38 +1000
e28c09
Subject: [PATCH] normal/charset: Fix array out-of-bounds formatting unicode
e28c09
 for display
e28c09
e28c09
In some cases attempting to display arbitrary binary strings leads
e28c09
to ASAN splats reading the widthspec array out of bounds.
e28c09
e28c09
Check the index. If it would be out of bounds, return a width of 1.
e28c09
I don't know if that's strictly correct, but we're not really expecting
e28c09
great display of arbitrary binary data, and it's certainly not worse than
e28c09
an OOB read.
e28c09
e28c09
Signed-off-by: Daniel Axtens <dja@axtens.net>
e28c09
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
e28c09
(cherry picked from commit fdf32abc7a3928852422c0f291d8cd1dd6b34a8d)
e28c09
(cherry picked from commit f2c10aaf335b88a69885375c4d68ffab2429df77)
e28c09
---
e28c09
 grub-core/normal/charset.c | 2 ++
e28c09
 1 file changed, 2 insertions(+)
e28c09
e28c09
diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
e28c09
index 4dfcc31078..7a5a7c153c 100644
e28c09
--- a/grub-core/normal/charset.c
e28c09
+++ b/grub-core/normal/charset.c
e28c09
@@ -395,6 +395,8 @@ grub_unicode_estimate_width (const struct grub_unicode_glyph *c)
e28c09
 {
e28c09
   if (grub_unicode_get_comb_type (c->base))
e28c09
     return 0;
e28c09
+  if (((unsigned long) (c->base >> 3)) >= ARRAY_SIZE (widthspec))
e28c09
+    return 1;
e28c09
   if (widthspec[c->base >> 3] & (1 << (c->base & 7)))
e28c09
     return 2;
e28c09
   else