Blame SOURCES/0563-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch

530103
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
530103
From: Zhang Boyang <zhangboyang.id@gmail.com>
530103
Date: Fri, 5 Aug 2022 00:51:20 +0800
530103
Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal()
530103
530103
The length of memory allocation and file read may overflow. This patch
530103
fixes the problem by using safemath macros.
530103
530103
There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe
530103
if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz().
530103
It is safe replacement for such code. It has safemath-like prototype.
530103
530103
This patch also introduces grub_cast(value, pointer), it casts value to
530103
typeof(*pointer) then store the value to *pointer. It returns true when
530103
overflow occurs or false if there is no overflow. The semantics of arguments
530103
and return value are designed to be consistent with other safemath macros.
530103
530103
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
530103
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
530103
(cherry picked from commit 941d10ad6f1dcbd12fb613002249e29ba035f985)
530103
(cherry picked from commit 6bca9693878bdf61dd62b8c784862a48e75f569a)
530103
(cherry picked from commit edbbda5486cf8c3dc2b68fbd3dead822ab448022)
530103
---
530103
 grub-core/font/font.c   | 17 +++++++++++++----
530103
 include/grub/bitmap.h   | 18 ++++++++++++++++++
530103
 include/grub/safemath.h |  2 ++
530103
 3 files changed, 33 insertions(+), 4 deletions(-)
530103
530103
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
530103
index 8d1a990401..d6df79602d 100644
530103
--- a/grub-core/font/font.c
530103
+++ b/grub-core/font/font.c
530103
@@ -739,7 +739,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
530103
       grub_int16_t xoff;
530103
       grub_int16_t yoff;
530103
       grub_int16_t dwidth;
530103
-      int len;
530103
+      grub_ssize_t len;
530103
+      grub_size_t sz;
530103
 
530103
       if (index_entry->glyph)
530103
 	/* Return cached glyph.  */
530103
@@ -768,9 +769,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
530103
 	  return 0;
530103
 	}
530103
 
530103
-      len = (width * height + 7) / 8;
530103
-      glyph = grub_malloc (sizeof (struct grub_font_glyph) + len);
530103
-      if (!glyph)
530103
+      /* Calculate real struct size of current glyph. */
530103
+      if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) ||
530103
+	  grub_add (sizeof (struct grub_font_glyph), len, &sz))
530103
+	{
530103
+	  remove_font (font);
530103
+	  return 0;
530103
+	}
530103
+
530103
+      /* Allocate and initialize the glyph struct. */
530103
+      glyph = grub_malloc (sz);
530103
+      if (glyph == NULL)
530103
 	{
530103
 	  remove_font (font);
530103
 	  return 0;
530103
diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h
530103
index 5728f8ca3a..0d9603f619 100644
530103
--- a/include/grub/bitmap.h
530103
+++ b/include/grub/bitmap.h
530103
@@ -23,6 +23,7 @@
530103
 #include <grub/symbol.h>
530103
 #include <grub/types.h>
530103
 #include <grub/video.h>
530103
+#include <grub/safemath.h>
530103
 
530103
 struct grub_video_bitmap
530103
 {
530103
@@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap)
530103
   return bitmap->mode_info.height;
530103
 }
530103
 
530103
+/*
530103
+ * Calculate and store the size of data buffer of 1bit bitmap in result.
530103
+ * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs.
530103
+ * Return true when overflow occurs or false if there is no overflow.
530103
+ * This function is intentionally implemented as a macro instead of
530103
+ * an inline function. Although a bit awkward, it preserves data types for
530103
+ * safemath macros and reduces macro side effects as much as possible.
530103
+ *
530103
+ * XXX: Will report false overflow if width * height > UINT64_MAX.
530103
+ */
530103
+#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \
530103
+({ \
530103
+  grub_uint64_t _bitmap_pixels; \
530103
+  grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \
530103
+    grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \
530103
+})
530103
+
530103
 void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap,
530103
 						    struct grub_video_mode_info *mode_info);
530103
 
530103
diff --git a/include/grub/safemath.h b/include/grub/safemath.h
530103
index 1ccac276b5..30800ad6a1 100644
530103
--- a/include/grub/safemath.h
530103
+++ b/include/grub/safemath.h
530103
@@ -30,6 +30,8 @@
530103
 #define grub_sub(a, b, res)	__builtin_sub_overflow(a, b, res)
530103
 #define grub_mul(a, b, res)	__builtin_mul_overflow(a, b, res)
530103
 
530103
+#define grub_cast(a, res)	grub_add ((a), 0, (res))
530103
+
530103
 #else
530103
 /*
530103
  * Copyright 2020 Rasmus Villemoes