Blame SOURCES/0564-font-Fix-several-integer-overflows-in-grub_font_cons.patch

a9bbe0
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
a9bbe0
From: Zhang Boyang <zhangboyang.id@gmail.com>
a9bbe0
Date: Fri, 5 Aug 2022 01:58:27 +0800
a9bbe0
Subject: [PATCH] font: Fix several integer overflows in
a9bbe0
 grub_font_construct_glyph()
a9bbe0
a9bbe0
This patch fixes several integer overflows in grub_font_construct_glyph().
a9bbe0
Glyphs of invalid size, zero or leading to an overflow, are rejected.
a9bbe0
The inconsistency between "glyph" and "max_glyph_size" when grub_malloc()
a9bbe0
returns NULL is fixed too.
a9bbe0
a9bbe0
Fixes: CVE-2022-2601
a9bbe0
a9bbe0
Reported-by: Zhang Boyang <zhangboyang.id@gmail.com>
a9bbe0
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
a9bbe0
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
a9bbe0
(cherry picked from commit b1805f251b31a9d3cfae5c3572ddfa630145dbbf)
a9bbe0
(cherry picked from commit b91eb9bd6c724339b7d7bb4765b9d36f1ee88b84)
a9bbe0
(cherry picked from commit 1ebafd82dd19e522f0d753fd9828553fe8bcac78)
a9bbe0
---
a9bbe0
 grub-core/font/font.c | 29 +++++++++++++++++------------
a9bbe0
 1 file changed, 17 insertions(+), 12 deletions(-)
a9bbe0
a9bbe0
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
a9bbe0
index d6df79602d..129aaa3838 100644
a9bbe0
--- a/grub-core/font/font.c
a9bbe0
+++ b/grub-core/font/font.c
a9bbe0
@@ -1517,6 +1517,7 @@ grub_font_construct_glyph (grub_font_t hinted_font,
a9bbe0
   struct grub_video_signed_rect bounds;
a9bbe0
   static struct grub_font_glyph *glyph = 0;
a9bbe0
   static grub_size_t max_glyph_size = 0;
a9bbe0
+  grub_size_t cur_glyph_size;
a9bbe0
 
a9bbe0
   ensure_comb_space (glyph_id);
a9bbe0
 
a9bbe0
@@ -1533,29 +1534,33 @@ grub_font_construct_glyph (grub_font_t hinted_font,
a9bbe0
   if (!glyph_id->ncomb && !glyph_id->attributes)
a9bbe0
     return main_glyph;
a9bbe0
 
a9bbe0
-  if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT)
a9bbe0
+  if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) ||
a9bbe0
+      grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size))
a9bbe0
+    return main_glyph;
a9bbe0
+
a9bbe0
+  if (max_glyph_size < cur_glyph_size)
a9bbe0
     {
a9bbe0
       grub_free (glyph);
a9bbe0
-      max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2;
a9bbe0
-      if (max_glyph_size < 8)
a9bbe0
-	max_glyph_size = 8;
a9bbe0
-      glyph = grub_malloc (max_glyph_size);
a9bbe0
+      if (grub_mul (cur_glyph_size, 2, &max_glyph_size))
a9bbe0
+	max_glyph_size = 0;
a9bbe0
+      glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL;
a9bbe0
     }
a9bbe0
   if (!glyph)
a9bbe0
     {
a9bbe0
+      max_glyph_size = 0;
a9bbe0
       grub_errno = GRUB_ERR_NONE;
a9bbe0
       return main_glyph;
a9bbe0
     }
a9bbe0
 
a9bbe0
-  grub_memset (glyph, 0, sizeof (*glyph)
a9bbe0
-	       + (bounds.width * bounds.height
a9bbe0
-		  + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT);
a9bbe0
+  grub_memset (glyph, 0, cur_glyph_size);
a9bbe0
 
a9bbe0
   glyph->font = main_glyph->font;
a9bbe0
-  glyph->width = bounds.width;
a9bbe0
-  glyph->height = bounds.height;
a9bbe0
-  glyph->offset_x = bounds.x;
a9bbe0
-  glyph->offset_y = bounds.y;
a9bbe0
+  if (bounds.width == 0 || bounds.height == 0 ||
a9bbe0
+      grub_cast (bounds.width, &glyph->width) ||
a9bbe0
+      grub_cast (bounds.height, &glyph->height) ||
a9bbe0
+      grub_cast (bounds.x, &glyph->offset_x) ||
a9bbe0
+      grub_cast (bounds.y, &glyph->offset_y))
a9bbe0
+    return main_glyph;
a9bbe0
 
a9bbe0
   if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR)
a9bbe0
     grub_font_blit_glyph_mirror (glyph, main_glyph,