fd4fd3a935
- Security fixes and hardenings * 0001-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch * 0002-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch - Fix CVE-2022-2601 (bsc#1205178) * 0003-font-Fix-several-integer-overflows-in-grub_font_cons.patch * 0004-font-Remove-grub_font_dup_glyph.patch * 0005-font-Fix-integer-overflow-in-ensure_comb_space.patch * 0006-font-Fix-integer-overflow-in-BMP-index.patch * 0007-font-Fix-integer-underflow-in-binary-search-of-char-.patch * 0008-fbutil-Fix-integer-overflow.patch - Fix CVE-2022-3775 (bsc#1205182) * 0009-font-Fix-an-integer-underflow-in-blit_comb.patch * 0010-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch * 0011-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch * 0012-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch - Bump upstream SBAT generation to 3 OBS-URL: https://build.opensuse.org/request/show/1035936 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=426
56 lines
2.0 KiB
Diff
56 lines
2.0 KiB
Diff
From 5e53d73775f6dc9b9b08536cbac2f8a5e2559903 Mon Sep 17 00:00:00 2001
|
|
From: Zhang Boyang <zhangboyang.id@gmail.com>
|
|
Date: Fri, 28 Oct 2022 21:31:39 +0800
|
|
Subject: [PATCH 12/12] normal/charset: Fix an integer overflow in
|
|
grub_unicode_aglomerate_comb()
|
|
|
|
The out->ncomb is a bit-field of 8 bits. So, the max possible value is 255.
|
|
However, code in grub_unicode_aglomerate_comb() doesn't check for an
|
|
overflow when incrementing out->ncomb. If out->ncomb is already 255,
|
|
after incrementing it will get 0 instead of 256, and cause illegal
|
|
memory access in subsequent processing.
|
|
|
|
This patch introduces GRUB_UNICODE_NCOMB_MAX to represent the max
|
|
acceptable value of ncomb. The code now checks for this limit and
|
|
ignores additional combining characters when limit is reached.
|
|
|
|
Reported-by: Daniel Axtens <dja@axtens.net>
|
|
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/normal/charset.c | 3 +++
|
|
include/grub/unicode.h | 2 ++
|
|
2 files changed, 5 insertions(+)
|
|
|
|
diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
|
|
index 7a5a7c153..c243ca6da 100644
|
|
--- a/grub-core/normal/charset.c
|
|
+++ b/grub-core/normal/charset.c
|
|
@@ -472,6 +472,9 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
|
|
if (!haveout)
|
|
continue;
|
|
|
|
+ if (out->ncomb == GRUB_UNICODE_NCOMB_MAX)
|
|
+ continue;
|
|
+
|
|
if (comb_type == GRUB_UNICODE_COMB_MC
|
|
|| comb_type == GRUB_UNICODE_COMB_ME
|
|
|| comb_type == GRUB_UNICODE_COMB_MN)
|
|
diff --git a/include/grub/unicode.h b/include/grub/unicode.h
|
|
index 4de986a85..c4f6fca04 100644
|
|
--- a/include/grub/unicode.h
|
|
+++ b/include/grub/unicode.h
|
|
@@ -147,7 +147,9 @@ struct grub_unicode_glyph
|
|
grub_uint8_t bidi_level:6; /* minimum: 6 */
|
|
enum grub_bidi_type bidi_type:5; /* minimum: :5 */
|
|
|
|
+#define GRUB_UNICODE_NCOMB_MAX ((1 << 8) - 1)
|
|
unsigned ncomb:8;
|
|
+
|
|
/* Hint by unicode subsystem how wide this character usually is.
|
|
Real width is determined by font. Set only in UTF-8 stream. */
|
|
int estimated_width:8;
|
|
--
|
|
2.35.3
|
|
|