Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:GA
grub2.26023
0010-video-readers-png-Avoid-heap-OOB-R-W-inser...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0010-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch of Package grub2.26023
From 8ebb6943eae81d3c31963bbae42d5d1f168c8dd5 Mon Sep 17 00:00:00 2001 From: Daniel Axtens <dja@axtens.net> Date: Tue, 6 Jul 2021 23:25:07 +1000 Subject: [PATCH 10/32] video/readers/png: Avoid heap OOB R/W inserting huff table items In fuzzing we observed crashes where a code would attempt to be inserted into a huffman table before the start, leading to a set of heap OOB reads and writes as table entries with negative indices were shifted around and the new code written in. Catch the case where we would underflow the array and bail. Fixes: CVE-2021-3696 Signed-off-by: Daniel Axtens <dja@axtens.net> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> --- grub-core/video/readers/png.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c index a3161e25b6..d7ed5aa6cf 100644 --- a/grub-core/video/readers/png.c +++ b/grub-core/video/readers/png.c @@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len) for (i = len; i < ht->max_length; i++) n += ht->maxval[i]; + if (n > ht->num_values) + { + grub_error (GRUB_ERR_BAD_FILE_TYPE, + "png: out of range inserting huffman table item"); + return; + } + for (i = 0; i < n; i++) ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1]; -- 2.34.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor