Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:Update
grub2.24426
0004-video-readers-jpeg-Catch-OOB-reads-writes-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0004-video-readers-jpeg-Catch-OOB-reads-writes-in-grub_jp.patch of Package grub2.24426
From 539b596edbf0ca4ac19610475e1c083ed0ca2c43 Mon Sep 17 00:00:00 2001 From: Daniel Axtens <dja@axtens.net> Date: Fri, 15 Jan 2021 13:29:53 +1100 Subject: [PATCH 04/37] video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du() The key line is: du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos]; jpeg_zigzag_order is grub_uint8_t[64]. I don't understand JPEG decoders quite well enough to explain what's going on here. However, I observe sometimes pos=64, which leads to an OOB read of the jpeg_zigzag_order global then an OOB write to du. That leads to various unpleasant memory corruption conditions. Catch where pos >= ARRAY_SIZE(jpeg_zigzag_order) and bail. Signed-off-by: Daniel Axtens <dja@axtens.net> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> --- grub-core/video/readers/jpeg.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c index 23f919aa07..e5148120f6 100644 --- a/grub-core/video/readers/jpeg.c +++ b/grub-core/video/readers/jpeg.c @@ -526,6 +526,14 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du) val = grub_jpeg_get_number (data, num & 0xF); num >>= 4; pos += num; + + if (pos >= ARRAY_SIZE (jpeg_zigzag_order)) + { + grub_error (GRUB_ERR_BAD_FILE_TYPE, + "jpeg: invalid position in zigzag order!?"); + return; + } + du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos]; pos++; } -- 2.34.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor