Blame SOURCES/0518-video-readers-png-Sanity-check-some-huffman-codes.patch

b9d01e
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b9d01e
From: Daniel Axtens <dja@axtens.net>
b9d01e
Date: Tue, 6 Jul 2021 19:19:11 +1000
b9d01e
Subject: [PATCH] video/readers/png: Sanity check some huffman codes
b9d01e
b9d01e
ASAN picked up two OOB global reads: we weren't checking if some code
b9d01e
values fit within the cplens or cpdext arrays. Check and throw an error
b9d01e
if not.
b9d01e
b9d01e
Signed-off-by: Daniel Axtens <dja@axtens.net>
b9d01e
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
b9d01e
(cherry picked from commit c3a8ab0cbd24153ec7b1f84a96ddfdd72ef8d117)
b9d01e
(cherry picked from commit 5d09addf58086aa11d5f9a91af5632ff87c2d2ee)
b9d01e
(cherry picked from commit ff12584f9376a472f37d4ec14213fd29bf3b233a)
b9d01e
---
b9d01e
 grub-core/video/readers/png.c | 6 ++++++
b9d01e
 1 file changed, 6 insertions(+)
b9d01e
b9d01e
diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
b9d01e
index d7ed5aa6cf..7f2ba7849b 100644
b9d01e
--- a/grub-core/video/readers/png.c
b9d01e
+++ b/grub-core/video/readers/png.c
b9d01e
@@ -753,6 +753,9 @@ grub_png_read_dynamic_block (struct grub_png_data *data)
b9d01e
 	  int len, dist, pos;
b9d01e
 
b9d01e
 	  n -= 257;
b9d01e
+	  if (((unsigned int) n) >= ARRAY_SIZE (cplens))
b9d01e
+	    return grub_error (GRUB_ERR_BAD_FILE_TYPE,
b9d01e
+			       "png: invalid huff code");
b9d01e
 	  len = cplens[n];
b9d01e
 	  if (cplext[n])
b9d01e
 	    len += grub_png_get_bits (data, cplext[n]);
b9d01e
@@ -760,6 +763,9 @@ grub_png_read_dynamic_block (struct grub_png_data *data)
b9d01e
 	    return grub_errno;
b9d01e
 
b9d01e
 	  n = grub_png_get_huff_code (data, &data->dist_table);
b9d01e
+	  if (((unsigned int) n) >= ARRAY_SIZE (cpdist))
b9d01e
+	    return grub_error (GRUB_ERR_BAD_FILE_TYPE,
b9d01e
+			       "png: invalid huff code");
b9d01e
 	  dist = cpdist[n];
b9d01e
 	  if (cpdext[n])
b9d01e
 	    dist += grub_png_get_bits (data, cpdext[n]);