| Patrick Williams | 92b42cb | 2022-09-03 06:53:57 -0500 | [diff] [blame^] | 1 | From 210245129c932dc9e1c2748d9d35524fb95b5042 Mon Sep 17 00:00:00 2001 |
| 2 | From: Daniel Axtens <dja@axtens.net> |
| 3 | Date: Tue, 6 Jul 2021 23:25:07 +1000 |
| 4 | Subject: [PATCH] video/readers/png: Avoid heap OOB R/W inserting huff table |
| 5 | items |
| 6 | |
| 7 | In fuzzing we observed crashes where a code would attempt to be inserted |
| 8 | into a huffman table before the start, leading to a set of heap OOB reads |
| 9 | and writes as table entries with negative indices were shifted around and |
| 10 | the new code written in. |
| 11 | |
| 12 | Catch the case where we would underflow the array and bail. |
| 13 | |
| 14 | Fixes: CVE-2021-3696 |
| 15 | |
| 16 | Signed-off-by: Daniel Axtens <dja@axtens.net> |
| 17 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
| 18 | |
| 19 | Upstream-Status: Backport |
| 20 | CVE: CVE-2021-3696 |
| 21 | |
| 22 | Reference to upstream patch: |
| 23 | https://git.savannah.gnu.org/cgit/grub.git/commit/?id=210245129c932dc9e1c2748d9d35524fb95b5042 |
| 24 | |
| 25 | Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> |
| 26 | --- |
| 27 | grub-core/video/readers/png.c | 7 +++++++ |
| 28 | 1 file changed, 7 insertions(+) |
| 29 | |
| 30 | diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c |
| 31 | index a3161e25b..d7ed5aa6c 100644 |
| 32 | --- a/grub-core/video/readers/png.c |
| 33 | +++ b/grub-core/video/readers/png.c |
| 34 | @@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len) |
| 35 | for (i = len; i < ht->max_length; i++) |
| 36 | n += ht->maxval[i]; |
| 37 | |
| 38 | + if (n > ht->num_values) |
| 39 | + { |
| 40 | + grub_error (GRUB_ERR_BAD_FILE_TYPE, |
| 41 | + "png: out of range inserting huffman table item"); |
| 42 | + return; |
| 43 | + } |
| 44 | + |
| 45 | for (i = 0; i < n; i++) |
| 46 | ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1]; |
| 47 | |
| 48 | -- |
| 49 | 2.34.1 |
| 50 | |