Blame SOURCES/0516-video-readers-png-Drop-greyscale-support-to-fix-heap.patch

b9d01e
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b9d01e
From: Daniel Axtens <dja@axtens.net>
b9d01e
Date: Tue, 6 Jul 2021 18:51:35 +1000
b9d01e
Subject: [PATCH] video/readers/png: Drop greyscale support to fix heap
b9d01e
 out-of-bounds write
b9d01e
b9d01e
A 16-bit greyscale PNG without alpha is processed in the following loop:
b9d01e
b9d01e
      for (i = 0; i < (data->image_width * data->image_height);
b9d01e
	   i++, d1 += 4, d2 += 2)
b9d01e
	{
b9d01e
	  d1[R3] = d2[1];
b9d01e
	  d1[G3] = d2[1];
b9d01e
	  d1[B3] = d2[1];
b9d01e
	}
b9d01e
b9d01e
The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration,
b9d01e
but there are only 3 bytes allocated for storage. This means that image
b9d01e
data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes
b9d01e
out of every 4 following the end of the image.
b9d01e
b9d01e
This has existed since greyscale support was added in 2013 in commit
b9d01e
3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale).
b9d01e
b9d01e
Saving starfield.png as a 16-bit greyscale image without alpha in the gimp
b9d01e
and attempting to load it causes grub-emu to crash - I don't think this code
b9d01e
has ever worked.
b9d01e
b9d01e
Delete all PNG greyscale support.
b9d01e
b9d01e
Fixes: CVE-2021-3695
b9d01e
b9d01e
Signed-off-by: Daniel Axtens <dja@axtens.net>
b9d01e
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
b9d01e
(cherry picked from commit 0e1d163382669bd734439d8864ee969616d971d9)
b9d01e
[rharwood: context conflict]
b9d01e
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
b9d01e
(cherry picked from commit 4c631c8119206b3178912df2905434d967661c3d)
b9d01e
(cherry picked from commit 6d5d5f51266b8113c6ba560835500e3c135f3722)
b9d01e
---
b9d01e
 grub-core/video/readers/png.c | 85 +++----------------------------------------
b9d01e
 1 file changed, 6 insertions(+), 79 deletions(-)
b9d01e
b9d01e
diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
b9d01e
index 8955b8ecfd..a3161e25b6 100644
b9d01e
--- a/grub-core/video/readers/png.c
b9d01e
+++ b/grub-core/video/readers/png.c
b9d01e
@@ -100,7 +100,7 @@ struct grub_png_data
b9d01e
 
b9d01e
   unsigned image_width, image_height;
b9d01e
   int bpp, is_16bit;
b9d01e
-  int raw_bytes, is_gray, is_alpha, is_palette;
b9d01e
+  int raw_bytes, is_alpha, is_palette;
b9d01e
   int row_bytes, color_bits;
b9d01e
   grub_uint8_t *image_data;
b9d01e
 
b9d01e
@@ -296,13 +296,13 @@ grub_png_decode_image_header (struct grub_png_data *data)
b9d01e
     data->bpp = 3;
b9d01e
   else
b9d01e
     {
b9d01e
-      data->is_gray = 1;
b9d01e
-      data->bpp = 1;
b9d01e
+      return grub_error (GRUB_ERR_BAD_FILE_TYPE,
b9d01e
+			 "png: color type not supported");
b9d01e
     }
b9d01e
 
b9d01e
   if ((color_bits != 8) && (color_bits != 16)
b9d01e
       && (color_bits != 4
b9d01e
-	  || !(data->is_gray || data->is_palette)))
b9d01e
+	  || !data->is_palette))
b9d01e
     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
b9d01e
                        "png: bit depth must be 8 or 16");
b9d01e
 
b9d01e
@@ -331,7 +331,7 @@ grub_png_decode_image_header (struct grub_png_data *data)
b9d01e
     }
b9d01e
 
b9d01e
 #ifndef GRUB_CPU_WORDS_BIGENDIAN
b9d01e
-  if (data->is_16bit || data->is_gray || data->is_palette)
b9d01e
+  if (data->is_16bit || data->is_palette)
b9d01e
 #endif
b9d01e
     {
b9d01e
       data->image_data = grub_calloc (data->image_height, data->row_bytes);
b9d01e
@@ -899,27 +899,8 @@ grub_png_convert_image (struct grub_png_data *data)
b9d01e
       int shift;
b9d01e
       int mask = (1 << data->color_bits) - 1;
b9d01e
       unsigned j;
b9d01e
-      if (data->is_gray)
b9d01e
-	{
b9d01e
-	  /* Generic formula is
b9d01e
-	     (0xff * i) / ((1U << data->color_bits) - 1)
b9d01e
-	     but for allowed bit depth of 1, 2 and for it's
b9d01e
-	     equivalent to
b9d01e
-	     (0xff / ((1U << data->color_bits) - 1)) * i
b9d01e
-	     Precompute the multipliers to avoid division.
b9d01e
-	  */
b9d01e
 
b9d01e
-	  const grub_uint8_t multipliers[5] = { 0xff, 0xff, 0x55, 0x24, 0x11 };
b9d01e
-	  for (i = 0; i < (1U << data->color_bits); i++)
b9d01e
-	    {
b9d01e
-	      grub_uint8_t col = multipliers[data->color_bits] * i;
b9d01e
-	      palette[i][0] = col;
b9d01e
-	      palette[i][1] = col;
b9d01e
-	      palette[i][2] = col;
b9d01e
-	    }
b9d01e
-	}
b9d01e
-      else
b9d01e
-	grub_memcpy (palette, data->palette, 3 << data->color_bits);
b9d01e
+      grub_memcpy (palette, data->palette, 3 << data->color_bits);
b9d01e
       d1c = d1;
b9d01e
       d2c = d2;
b9d01e
       for (j = 0; j < data->image_height; j++, d1c += data->image_width * 3,
b9d01e
@@ -956,60 +937,6 @@ grub_png_convert_image (struct grub_png_data *data)
b9d01e
 	}
b9d01e
       return;
b9d01e
     }
b9d01e
-  
b9d01e
-  if (data->is_gray)
b9d01e
-    {
b9d01e
-      switch (data->bpp)
b9d01e
-	{
b9d01e
-	case 4:
b9d01e
-	  /* 16-bit gray with alpha.  */
b9d01e
-	  for (i = 0; i < (data->image_width * data->image_height);
b9d01e
-	       i++, d1 += 4, d2 += 4)
b9d01e
-	    {
b9d01e
-	      d1[R4] = d2[3];
b9d01e
-	      d1[G4] = d2[3];
b9d01e
-	      d1[B4] = d2[3];
b9d01e
-	      d1[A4] = d2[1];
b9d01e
-	    }
b9d01e
-	  break;
b9d01e
-	case 2:
b9d01e
-	  if (data->is_16bit)
b9d01e
-	    /* 16-bit gray without alpha.  */
b9d01e
-	    {
b9d01e
-	      for (i = 0; i < (data->image_width * data->image_height);
b9d01e
-		   i++, d1 += 4, d2 += 2)
b9d01e
-		{
b9d01e
-		  d1[R3] = d2[1];
b9d01e
-		  d1[G3] = d2[1];
b9d01e
-		  d1[B3] = d2[1];
b9d01e
-		}
b9d01e
-	    }
b9d01e
-	  else
b9d01e
-	    /* 8-bit gray with alpha.  */
b9d01e
-	    {
b9d01e
-	      for (i = 0; i < (data->image_width * data->image_height);
b9d01e
-		   i++, d1 += 4, d2 += 2)
b9d01e
-		{
b9d01e
-		  d1[R4] = d2[1];
b9d01e
-		  d1[G4] = d2[1];
b9d01e
-		  d1[B4] = d2[1];
b9d01e
-		  d1[A4] = d2[0];
b9d01e
-		}
b9d01e
-	    }
b9d01e
-	  break;
b9d01e
-	  /* 8-bit gray without alpha.  */
b9d01e
-	case 1:
b9d01e
-	  for (i = 0; i < (data->image_width * data->image_height);
b9d01e
-	       i++, d1 += 3, d2++)
b9d01e
-	    {
b9d01e
-	      d1[R3] = d2[0];
b9d01e
-	      d1[G3] = d2[0];
b9d01e
-	      d1[B3] = d2[0];
b9d01e
-	    }
b9d01e
-	  break;
b9d01e
-	}
b9d01e
-      return;
b9d01e
-    }
b9d01e
 
b9d01e
     {
b9d01e
   /* Only copy the upper 8 bit.  */