Blame SOURCES/0573-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch

a9bbe0
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
a9bbe0
From: Zhang Boyang <zhangboyang.id@gmail.com>
a9bbe0
Date: Fri, 28 Oct 2022 21:31:39 +0800
a9bbe0
Subject: [PATCH] normal/charset: Fix an integer overflow in
a9bbe0
 grub_unicode_aglomerate_comb()
a9bbe0
a9bbe0
The out->ncomb is a bit-field of 8 bits. So, the max possible value is 255.
a9bbe0
However, code in grub_unicode_aglomerate_comb() doesn't check for an
a9bbe0
overflow when incrementing out->ncomb. If out->ncomb is already 255,
a9bbe0
after incrementing it will get 0 instead of 256, and cause illegal
a9bbe0
memory access in subsequent processing.
a9bbe0
a9bbe0
This patch introduces GRUB_UNICODE_NCOMB_MAX to represent the max
a9bbe0
acceptable value of ncomb. The code now checks for this limit and
a9bbe0
ignores additional combining characters when limit is reached.
a9bbe0
a9bbe0
Reported-by: Daniel Axtens <dja@axtens.net>
a9bbe0
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
a9bbe0
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
a9bbe0
(cherry picked from commit da90d62316a3b105d2fbd7334d6521936bd6dcf6)
a9bbe0
(cherry picked from commit 26fafec86000b5322837722a115279ef03922ca6)
a9bbe0
(cherry picked from commit 872fba1c44dee2ab5cb36b2c7a883847f91ed907)
a9bbe0
---
a9bbe0
 grub-core/normal/charset.c | 3 +++
a9bbe0
 include/grub/unicode.h     | 2 ++
a9bbe0
 2 files changed, 5 insertions(+)
a9bbe0
a9bbe0
diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
a9bbe0
index 7b2de12001..4849cf06f7 100644
a9bbe0
--- a/grub-core/normal/charset.c
a9bbe0
+++ b/grub-core/normal/charset.c
a9bbe0
@@ -472,6 +472,9 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
a9bbe0
 	  if (!haveout)
a9bbe0
 	    continue;
a9bbe0
 
a9bbe0
+	  if (out->ncomb == GRUB_UNICODE_NCOMB_MAX)
a9bbe0
+	    continue;
a9bbe0
+
a9bbe0
 	  if (comb_type == GRUB_UNICODE_COMB_MC
a9bbe0
 	      || comb_type == GRUB_UNICODE_COMB_ME
a9bbe0
 	      || comb_type == GRUB_UNICODE_COMB_MN)
a9bbe0
diff --git a/include/grub/unicode.h b/include/grub/unicode.h
a9bbe0
index 4de986a857..c4f6fca043 100644
a9bbe0
--- a/include/grub/unicode.h
a9bbe0
+++ b/include/grub/unicode.h
a9bbe0
@@ -147,7 +147,9 @@ struct grub_unicode_glyph
a9bbe0
   grub_uint8_t bidi_level:6; /* minimum: 6 */
a9bbe0
   enum grub_bidi_type bidi_type:5; /* minimum: :5 */
a9bbe0
 
a9bbe0
+#define GRUB_UNICODE_NCOMB_MAX ((1 << 8) - 1)
a9bbe0
   unsigned ncomb:8;
a9bbe0
+
a9bbe0
   /* Hint by unicode subsystem how wide this character usually is.
a9bbe0
      Real width is determined by font. Set only in UTF-8 stream.  */
a9bbe0
   int estimated_width:8;