poky/meta/recipes-bsp/grub/files/0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch - openbmc/openbmc - Gitiles

 From 1f511ae054fe42dce7aedfbfe0f234fa1e0a7a3e Mon Sep 17 00:00:00 2001
 From: Zhang Boyang <zhangboyang.id@gmail.com>
 Date: Fri, 5 Aug 2022 00:51:20 +0800
 Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal()

 The length of memory allocation and file read may overflow. This patch
 fixes the problem by using safemath macros.

 There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe
 if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz().
 It is safe replacement for such code. It has safemath-like prototype.

 This patch also introduces grub_cast(value, pointer), it casts value to
 typeof(*pointer) then store the value to *pointer. It returns true when
 overflow occurs or false if there is no overflow. The semantics of arguments
 and return value are designed to be consistent with other safemath macros.

 Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

 Upstream-Status: Backport from
 [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c76ec09ae08155df27cd237eaea150b4f02f532]

 Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>

 ---
  grub-core/font/font.c   | 17 +++++++++++++----
  include/grub/bitmap.h   | 18 ++++++++++++++++++
  include/grub/safemath.h |  2 ++
  3 files changed, 33 insertions(+), 4 deletions(-)

 diff --git a/grub-core/font/font.c b/grub-core/font/font.c
 index d09bb38..876b5b6 100644
 --- a/grub-core/font/font.c
 +++ b/grub-core/font/font.c
 @@ -739,7 +739,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
        grub_int16_t xoff;
        grub_int16_t yoff;
        grub_int16_t dwidth;
 -      int len;
 +      grub_ssize_t len;
 +      grub_size_t sz;

        if (index_entry->glyph)
  	/* Return cached glyph.  */
 @@ -766,9 +767,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
  	  return 0;
  	}

 -      len = (width * height + 7) / 8;
 -      glyph = grub_malloc (sizeof (struct grub_font_glyph) + len);
 -      if (!glyph)
 +      /* Calculate real struct size of current glyph. */
 +      if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) ||
 +	  grub_add (sizeof (struct grub_font_glyph), len, &sz))
 +	{
 +	  remove_font (font);
 +	  return 0;
 +	}
 +
 +      /* Allocate and initialize the glyph struct. */
 +      glyph = grub_malloc (sz);
 +      if (glyph == NULL)
  	{
  	  remove_font (font);
  	  return 0;
 diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h
 index 5728f8c..0d9603f 100644
 --- a/include/grub/bitmap.h
 +++ b/include/grub/bitmap.h
 @@ -23,6 +23,7 @@
  #include <grub/symbol.h>
  #include <grub/types.h>
  #include <grub/video.h>
 +#include <grub/safemath.h>

  struct grub_video_bitmap
  {
 @@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap)
    return bitmap->mode_info.height;
  }

 +/*
 + * Calculate and store the size of data buffer of 1bit bitmap in result.
 + * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs.
 + * Return true when overflow occurs or false if there is no overflow.
 + * This function is intentionally implemented as a macro instead of
 + * an inline function. Although a bit awkward, it preserves data types for
 + * safemath macros and reduces macro side effects as much as possible.
 + *
 + * XXX: Will report false overflow if width * height > UINT64_MAX.
 + */
 +#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \
 +({ \
 +  grub_uint64_t _bitmap_pixels; \
 +  grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \
 +    grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \
 +})
 +
  void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap,
  						    struct grub_video_mode_info *mode_info);

 diff --git a/include/grub/safemath.h b/include/grub/safemath.h
 index c17b89b..bb0f826 100644
 --- a/include/grub/safemath.h
 +++ b/include/grub/safemath.h
 @@ -30,6 +30,8 @@
  #define grub_sub(a, b, res)	__builtin_sub_overflow(a, b, res)
  #define grub_mul(a, b, res)	__builtin_mul_overflow(a, b, res)

 +#define grub_cast(a, res)	grub_add ((a), 0, (res))
 +
  #else
  #error gcc 5.1 or newer or clang 3.8 or newer is required
  #endif
	From 1f511ae054fe42dce7aedfbfe0f234fa1e0a7a3e Mon Sep 17 00:00:00 2001
	From: Zhang Boyang <zhangboyang.id@gmail.com>
	Date: Fri, 5 Aug 2022 00:51:20 +0800
	Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal()

	The length of memory allocation and file read may overflow. This patch
	fixes the problem by using safemath macros.

	There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe
	if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz().
	It is safe replacement for such code. It has safemath-like prototype.

	This patch also introduces grub_cast(value, pointer), it casts value to
	typeof(pointer) then store the value to pointer. It returns true when
	overflow occurs or false if there is no overflow. The semantics of arguments
	and return value are designed to be consistent with other safemath macros.

	Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

	Upstream-Status: Backport from
	[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c76ec09ae08155df27cd237eaea150b4f02f532]

	Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>

	---
	grub-core/font/font.c \| 17 +++++++++++++----
	include/grub/bitmap.h \| 18 ++++++++++++++++++
	include/grub/safemath.h \| 2 ++
	3 files changed, 33 insertions(+), 4 deletions(-)

	diff --git a/grub-core/font/font.c b/grub-core/font/font.c
	index d09bb38..876b5b6 100644
	--- a/grub-core/font/font.c
	+++ b/grub-core/font/font.c
	@@ -739,7 +739,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
	grub_int16_t xoff;
	grub_int16_t yoff;
	grub_int16_t dwidth;
	- int len;
	+ grub_ssize_t len;
	+ grub_size_t sz;

	if (index_entry->glyph)
	/* Return cached glyph. */
	@@ -766,9 +767,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
	return 0;
	}

	- len = (width * height + 7) / 8;
	- glyph = grub_malloc (sizeof (struct grub_font_glyph) + len);
	- if (!glyph)
	+ /* Calculate real struct size of current glyph. */
	+ if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) \|\|
	+ grub_add (sizeof (struct grub_font_glyph), len, &sz))
	+ {
	+ remove_font (font);
	+ return 0;
	+ }
	+
	+ /* Allocate and initialize the glyph struct. */
	+ glyph = grub_malloc (sz);
	+ if (glyph == NULL)
	{
	remove_font (font);
	return 0;
	diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h
	index 5728f8c..0d9603f 100644
	--- a/include/grub/bitmap.h
	+++ b/include/grub/bitmap.h
	@@ -23,6 +23,7 @@
	#include <grub/symbol.h>
	#include <grub/types.h>
	#include <grub/video.h>
	+#include <grub/safemath.h>

	struct grub_video_bitmap
	{
	@@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap)
	return bitmap->mode_info.height;
	}

	+/*
	+ * Calculate and store the size of data buffer of 1bit bitmap in result.
	+ * Equivalent to "result = (width height + 7) / 8" if no overflow occurs.
	+ * Return true when overflow occurs or false if there is no overflow.
	+ * This function is intentionally implemented as a macro instead of
	+ * an inline function. Although a bit awkward, it preserves data types for
	+ * safemath macros and reduces macro side effects as much as possible.
	+ *
	+ * XXX: Will report false overflow if width * height > UINT64_MAX.
	+ */
	+#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \
	+({ \
	+ grub_uint64_t _bitmap_pixels; \
	+ grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \
	+ grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \
	+})
	+
	void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap,
	struct grub_video_mode_info *mode_info);

	diff --git a/include/grub/safemath.h b/include/grub/safemath.h
	index c17b89b..bb0f826 100644
	--- a/include/grub/safemath.h
	+++ b/include/grub/safemath.h
	@@ -30,6 +30,8 @@
	#define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res)
	#define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res)

	+#define grub_cast(a, res) grub_add ((a), 0, (res))
	+
	#else
	#error gcc 5.1 or newer or clang 3.8 or newer is required
	#endif