File 0003-video-readers-jpeg-Catch-files-with-unsupp... of Package grub2.27716

Overview Repositories Revisions Requests Users Attributes Meta

File 0003-video-readers-jpeg-Catch-files-with-unsupported-quan.patch of Package grub2.27716

From 01ab793d3db6891c46cacd66360bb89c5102c7a8 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Fri, 15 Jan 2021 12:57:04 +1100
Subject: [PATCH 03/37] video/readers/jpeg: Catch files with unsupported
 quantization or Huffman tables

Our decoder only supports 2 quantization tables. If a file asks for
a quantization table with index > 1, reject it.

Similarly, our decoder only supports 4 Huffman tables. If a file asks
for a Huffman table with index > 3, reject it.

This fixes some out of bounds reads. It's not clear what degree of control
over subsequent execution could be gained by someone who can carefully
set up the contents of memory before loading an invalid JPEG file.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/video/readers/jpeg.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
index 0b6ce3cee6..23f919aa07 100644
--- a/grub-core/video/readers/jpeg.c
+++ b/grub-core/video/readers/jpeg.c
@@ -333,7 +333,11 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
       else if (ss != JPEG_SAMPLING_1x1)
 	return grub_error (GRUB_ERR_BAD_FILE_TYPE,
 			   "jpeg: sampling method not supported");
+
       data->comp_index[id][0] = grub_jpeg_get_byte (data);
+      if (data->comp_index[id][0] > 1)
+	return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+			   "jpeg: too many quantization tables");
     }
 
   if (data->file->offset != next_marker)
@@ -602,6 +606,10 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
       ht = grub_jpeg_get_byte (data);
       data->comp_index[id][1] = (ht >> 4);
       data->comp_index[id][2] = (ht & 0xF) + 2;
+
+      if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) ||
+	  (data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3))
+	return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index");
     }
 
   grub_jpeg_get_byte (data);	/* Skip 3 unused bytes.  */
-- 
2.34.1

Places

File 0003-video-readers-jpeg-Catch-files-with-unsupported-quan.patch of Package grub2.27716

Places