Blame SOURCES/0460-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch

d18179
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
d18179
From: Daniel Axtens <dja@axtens.net>
d18179
Date: Tue, 6 Jul 2021 23:25:07 +1000
d18179
Subject: [PATCH] video/readers/png: Avoid heap OOB R/W inserting huff table
d18179
 items
d18179
d18179
In fuzzing we observed crashes where a code would attempt to be inserted
d18179
into a huffman table before the start, leading to a set of heap OOB reads
d18179
and writes as table entries with negative indices were shifted around and
d18179
the new code written in.
d18179
d18179
Catch the case where we would underflow the array and bail.
d18179
d18179
Fixes: CVE-2021-3696
d18179
d18179
Signed-off-by: Daniel Axtens <dja@axtens.net>
d18179
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
d18179
(cherry picked from commit 1ae9a91d42cb40da8a6f11fac65541858e340afa)
d18179
(cherry picked from commit 132ccc681cf642ad748580f26b54c9259a7f43fd)
d18179
(cherry picked from commit 3a70e1f6e69af6e0d3c3cf526faa44dc0c80ac19)
d18179
(cherry picked from commit 9990cee64b053a1593cf9883d73b630405519be2)
d18179
---
d18179
 grub-core/video/readers/png.c | 7 +++++++
d18179
 1 file changed, 7 insertions(+)
d18179
d18179
diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
d18179
index dcfdaa8596..24e972d1ba 100644
d18179
--- a/grub-core/video/readers/png.c
d18179
+++ b/grub-core/video/readers/png.c
d18179
@@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len)
d18179
   for (i = len; i < ht->max_length; i++)
d18179
     n += ht->maxval[i];
d18179
 
d18179
+  if (n > ht->num_values)
d18179
+    {
d18179
+      grub_error (GRUB_ERR_BAD_FILE_TYPE,
d18179
+		  "png: out of range inserting huffman table item");
d18179
+      return;
d18179
+    }
d18179
+
d18179
   for (i = 0; i < n; i++)
d18179
     ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];
d18179