File 0015-video-readers-png-Avoid-heap-OOB-R-W-inser... of Package grub2.26834

Overview Repositories Revisions Requests Users Attributes Meta

File 0015-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch of Package grub2.26834

From fc6d44679d55b86a9815f148c92be6ef6bd6e67d Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Tue, 6 Jul 2021 23:25:07 +1000
Subject: [PATCH 15/37] video/readers/png: Avoid heap OOB R/W inserting huff
 table items

In fuzzing we observed crashes where a code would attempt to be inserted
into a huffman table before the start, leading to a set of heap OOB reads
and writes as table entries with negative indices were shifted around and
the new code written in.

Catch the case where we would underflow the array and bail.

Fixes: CVE-2021-3696

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/video/readers/png.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
index a3161e25b6..d7ed5aa6cf 100644
--- a/grub-core/video/readers/png.c
+++ b/grub-core/video/readers/png.c
@@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len)
   for (i = len; i < ht->max_length; i++)
     n += ht->maxval[i];
 
+  if (n > ht->num_values)
+    {
+      grub_error (GRUB_ERR_BAD_FILE_TYPE,
+		  "png: out of range inserting huffman table item");
+      return;
+    }
+
   for (i = 0; i < n; i++)
     ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];
 
-- 
2.34.1

Places

File 0015-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch of Package grub2.26834

Places