| Andrew Geissler | 517393d | 2023-01-13 08:55:19 -0600 | [diff] [blame^] | 1 | From e8060722acf0bcca037982d7fb29472363ccdfd4 Mon Sep 17 00:00:00 2001 |
| 2 | From: Zhang Boyang <zhangboyang.id@gmail.com> |
| 3 | Date: Fri, 5 Aug 2022 01:58:27 +0800 |
| 4 | Subject: [PATCH] font: Fix several integer overflows in |
| 5 | grub_font_construct_glyph() |
| 6 | |
| 7 | This patch fixes several integer overflows in grub_font_construct_glyph(). |
| 8 | Glyphs of invalid size, zero or leading to an overflow, are rejected. |
| 9 | The inconsistency between "glyph" and "max_glyph_size" when grub_malloc() |
| 10 | returns NULL is fixed too. |
| 11 | |
| 12 | Fixes: CVE-2022-2601 |
| 13 | |
| 14 | Reported-by: Zhang Boyang <zhangboyang.id@gmail.com> |
| 15 | Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> |
| 16 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
| 17 | |
| 18 | Upstream-Status: Backport from |
| 19 | [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=768e1ef2fc159f6e14e7246e4be09363708ac39e] |
| 20 | CVE: CVE-2022-2601 |
| 21 | |
| 22 | Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> |
| 23 | |
| 24 | --- |
| 25 | grub-core/font/font.c | 29 +++++++++++++++++------------ |
| 26 | 1 file changed, 17 insertions(+), 12 deletions(-) |
| 27 | |
| 28 | diff --git a/grub-core/font/font.c b/grub-core/font/font.c |
| 29 | index 876b5b6..0ff5525 100644 |
| 30 | --- a/grub-core/font/font.c |
| 31 | +++ b/grub-core/font/font.c |
| 32 | @@ -1515,6 +1515,7 @@ grub_font_construct_glyph (grub_font_t hinted_font, |
| 33 | struct grub_video_signed_rect bounds; |
| 34 | static struct grub_font_glyph *glyph = 0; |
| 35 | static grub_size_t max_glyph_size = 0; |
| 36 | + grub_size_t cur_glyph_size; |
| 37 | |
| 38 | ensure_comb_space (glyph_id); |
| 39 | |
| 40 | @@ -1531,29 +1532,33 @@ grub_font_construct_glyph (grub_font_t hinted_font, |
| 41 | if (!glyph_id->ncomb && !glyph_id->attributes) |
| 42 | return main_glyph; |
| 43 | |
| 44 | - if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) |
| 45 | + if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) || |
| 46 | + grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size)) |
| 47 | + return main_glyph; |
| 48 | + |
| 49 | + if (max_glyph_size < cur_glyph_size) |
| 50 | { |
| 51 | grub_free (glyph); |
| 52 | - max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2; |
| 53 | - if (max_glyph_size < 8) |
| 54 | - max_glyph_size = 8; |
| 55 | - glyph = grub_malloc (max_glyph_size); |
| 56 | + if (grub_mul (cur_glyph_size, 2, &max_glyph_size)) |
| 57 | + max_glyph_size = 0; |
| 58 | + glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL; |
| 59 | } |
| 60 | if (!glyph) |
| 61 | { |
| 62 | + max_glyph_size = 0; |
| 63 | grub_errno = GRUB_ERR_NONE; |
| 64 | return main_glyph; |
| 65 | } |
| 66 | |
| 67 | - grub_memset (glyph, 0, sizeof (*glyph) |
| 68 | - + (bounds.width * bounds.height |
| 69 | - + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT); |
| 70 | + grub_memset (glyph, 0, cur_glyph_size); |
| 71 | |
| 72 | glyph->font = main_glyph->font; |
| 73 | - glyph->width = bounds.width; |
| 74 | - glyph->height = bounds.height; |
| 75 | - glyph->offset_x = bounds.x; |
| 76 | - glyph->offset_y = bounds.y; |
| 77 | + if (bounds.width == 0 || bounds.height == 0 || |
| 78 | + grub_cast (bounds.width, &glyph->width) || |
| 79 | + grub_cast (bounds.height, &glyph->height) || |
| 80 | + grub_cast (bounds.x, &glyph->offset_x) || |
| 81 | + grub_cast (bounds.y, &glyph->offset_y)) |
| 82 | + return main_glyph; |
| 83 | |
| 84 | if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR) |
| 85 | grub_font_blit_glyph_mirror (glyph, main_glyph, |