You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
41 lines
1.4 KiB
41 lines
1.4 KiB
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
|
From: Daniel Axtens <dja@axtens.net> |
|
Date: Tue, 6 Jul 2021 23:25:07 +1000 |
|
Subject: [PATCH] video/readers/png: Avoid heap OOB R/W inserting huff table |
|
items |
|
|
|
In fuzzing we observed crashes where a code would attempt to be inserted |
|
into a huffman table before the start, leading to a set of heap OOB reads |
|
and writes as table entries with negative indices were shifted around and |
|
the new code written in. |
|
|
|
Catch the case where we would underflow the array and bail. |
|
|
|
Fixes: CVE-2021-3696 |
|
|
|
Signed-off-by: Daniel Axtens <dja@axtens.net> |
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
|
(cherry picked from commit 1ae9a91d42cb40da8a6f11fac65541858e340afa) |
|
(cherry picked from commit 132ccc681cf642ad748580f26b54c9259a7f43fd) |
|
--- |
|
grub-core/video/readers/png.c | 7 +++++++ |
|
1 file changed, 7 insertions(+) |
|
|
|
diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c |
|
index a3161e25b6..d7ed5aa6cf 100644 |
|
--- a/grub-core/video/readers/png.c |
|
+++ b/grub-core/video/readers/png.c |
|
@@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len) |
|
for (i = len; i < ht->max_length; i++) |
|
n += ht->maxval[i]; |
|
|
|
+ if (n > ht->num_values) |
|
+ { |
|
+ grub_error (GRUB_ERR_BAD_FILE_TYPE, |
|
+ "png: out of range inserting huffman table item"); |
|
+ return; |
|
+ } |
|
+ |
|
for (i = 0; i < n; i++) |
|
ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1]; |
|
|
|
|