e016790fe1
- Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581) * 0001-video-Remove-trailing-whitespaces.patch * 0002-loader-efi-chainloader-Simplify-the-loader-state.patch * 0003-commands-boot-Add-API-to-pass-context-to-loader.patch - Fix CVE-2022-28736 (bsc#1198496) * 0004-loader-efi-chainloader-Use-grub_loader_set_ex.patch - Fix CVE-2022-28735 (bsc#1198495) * 0005-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch * 0006-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch * 0007-video-readers-png-Abort-sooner-if-a-read-operation-f.patch * 0008-video-readers-png-Refuse-to-handle-multiple-image-he.patch - Fix CVE-2021-3695 (bsc#1191184) * 0009-video-readers-png-Drop-greyscale-support-to-fix-heap.patch - Fix CVE-2021-3696 (bsc#1191185) * 0010-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch * 0011-video-readers-png-Sanity-check-some-huffman-codes.patch * 0012-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch * 0013-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch * 0014-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch - Fix CVE-2021-3697 (bsc#1191186) * 0015-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch * 0016-normal-charset-Fix-array-out-of-bounds-formatting-un.patch - Fix CVE-2022-28733 (bsc#1198460) * 0017-net-ip-Do-IP-fragment-maths-safely.patch * 0018-net-netbuff-Block-overly-large-netbuff-allocs.patch * 0019-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch * 0020-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch * 0021-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch * 0022-net-tftp-Avoid-a-trivial-UAF.patch * 0023-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch OBS-URL: https://build.opensuse.org/request/show/981228 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=416
259 lines
8.1 KiB
Diff
259 lines
8.1 KiB
Diff
From 27134e18072a9dffb2bda6b74cd312be5360baa0 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Axtens <dja@axtens.net>
|
|
Date: Mon, 28 Jun 2021 14:16:14 +1000
|
|
Subject: [PATCH 12/32] video/readers/jpeg: Abort sooner if a read operation
|
|
fails
|
|
|
|
Fuzzing revealed some inputs that were taking a long time, potentially
|
|
forever, because they did not bail quickly upon encountering an I/O error.
|
|
|
|
Try to catch I/O errors sooner and bail out.
|
|
|
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/video/readers/jpeg.c | 86 +++++++++++++++++++++++++++-------
|
|
1 file changed, 70 insertions(+), 16 deletions(-)
|
|
|
|
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
|
|
index e31602f766..10225abd53 100644
|
|
--- a/grub-core/video/readers/jpeg.c
|
|
+++ b/grub-core/video/readers/jpeg.c
|
|
@@ -109,9 +109,17 @@ static grub_uint8_t
|
|
grub_jpeg_get_byte (struct grub_jpeg_data *data)
|
|
{
|
|
grub_uint8_t r;
|
|
+ grub_ssize_t bytes_read;
|
|
|
|
r = 0;
|
|
- grub_file_read (data->file, &r, 1);
|
|
+ bytes_read = grub_file_read (data->file, &r, 1);
|
|
+
|
|
+ if (bytes_read != 1)
|
|
+ {
|
|
+ grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
|
+ "jpeg: unexpected end of data");
|
|
+ return 0;
|
|
+ }
|
|
|
|
return r;
|
|
}
|
|
@@ -120,9 +128,17 @@ static grub_uint16_t
|
|
grub_jpeg_get_word (struct grub_jpeg_data *data)
|
|
{
|
|
grub_uint16_t r;
|
|
+ grub_ssize_t bytes_read;
|
|
|
|
r = 0;
|
|
- grub_file_read (data->file, &r, sizeof (grub_uint16_t));
|
|
+ bytes_read = grub_file_read (data->file, &r, sizeof (grub_uint16_t));
|
|
+
|
|
+ if (bytes_read != sizeof (grub_uint16_t))
|
|
+ {
|
|
+ grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
|
+ "jpeg: unexpected end of data");
|
|
+ return 0;
|
|
+ }
|
|
|
|
return grub_be_to_cpu16 (r);
|
|
}
|
|
@@ -135,6 +151,11 @@ grub_jpeg_get_bit (struct grub_jpeg_data *data)
|
|
if (data->bit_mask == 0)
|
|
{
|
|
data->bit_save = grub_jpeg_get_byte (data);
|
|
+ if (grub_errno != GRUB_ERR_NONE) {
|
|
+ grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
|
+ "jpeg: file read error");
|
|
+ return 0;
|
|
+ }
|
|
if (data->bit_save == JPEG_ESC_CHAR)
|
|
{
|
|
if (grub_jpeg_get_byte (data) != 0)
|
|
@@ -143,6 +164,11 @@ grub_jpeg_get_bit (struct grub_jpeg_data *data)
|
|
"jpeg: invalid 0xFF in data stream");
|
|
return 0;
|
|
}
|
|
+ if (grub_errno != GRUB_ERR_NONE)
|
|
+ {
|
|
+ grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: file read error");
|
|
+ return 0;
|
|
+ }
|
|
}
|
|
data->bit_mask = 0x80;
|
|
}
|
|
@@ -161,7 +187,7 @@ grub_jpeg_get_number (struct grub_jpeg_data *data, int num)
|
|
return 0;
|
|
|
|
msb = value = grub_jpeg_get_bit (data);
|
|
- for (i = 1; i < num; i++)
|
|
+ for (i = 1; i < num && grub_errno == GRUB_ERR_NONE; i++)
|
|
value = (value << 1) + (grub_jpeg_get_bit (data) != 0);
|
|
if (!msb)
|
|
value += 1 - (1 << num);
|
|
@@ -202,6 +228,8 @@ grub_jpeg_decode_huff_table (struct grub_jpeg_data *data)
|
|
while (data->file->offset + sizeof (count) + 1 <= next_marker)
|
|
{
|
|
id = grub_jpeg_get_byte (data);
|
|
+ if (grub_errno != GRUB_ERR_NONE)
|
|
+ return grub_errno;
|
|
ac = (id >> 4) & 1;
|
|
id &= 0xF;
|
|
if (id > 1)
|
|
@@ -252,6 +280,8 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data)
|
|
|
|
next_marker = data->file->offset;
|
|
next_marker += grub_jpeg_get_word (data);
|
|
+ if (grub_errno != GRUB_ERR_NONE)
|
|
+ return grub_errno;
|
|
|
|
if (next_marker > data->file->size)
|
|
{
|
|
@@ -263,6 +293,8 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data)
|
|
<= next_marker)
|
|
{
|
|
id = grub_jpeg_get_byte (data);
|
|
+ if (grub_errno != GRUB_ERR_NONE)
|
|
+ return grub_errno;
|
|
if (id >= 0x10) /* Upper 4-bit is precision. */
|
|
return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
|
"jpeg: only 8-bit precision is supported");
|
|
@@ -294,6 +326,9 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
|
|
next_marker = data->file->offset;
|
|
next_marker += grub_jpeg_get_word (data);
|
|
|
|
+ if (grub_errno != GRUB_ERR_NONE)
|
|
+ return grub_errno;
|
|
+
|
|
if (grub_jpeg_get_byte (data) != 8)
|
|
return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
|
"jpeg: only 8-bit precision is supported");
|
|
@@ -319,6 +354,8 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
|
|
return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid index");
|
|
|
|
ss = grub_jpeg_get_byte (data); /* Sampling factor. */
|
|
+ if (grub_errno != GRUB_ERR_NONE)
|
|
+ return grub_errno;
|
|
if (!id)
|
|
{
|
|
grub_uint8_t vs, hs;
|
|
@@ -498,7 +535,7 @@ grub_jpeg_idct_transform (jpeg_data_unit_t du)
|
|
}
|
|
}
|
|
|
|
-static void
|
|
+static grub_err_t
|
|
grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
|
|
{
|
|
int h1, h2, qt;
|
|
@@ -513,6 +550,9 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
|
|
data->dc_value[id] +=
|
|
grub_jpeg_get_number (data, grub_jpeg_get_huff_code (data, h1));
|
|
|
|
+ if (grub_errno != GRUB_ERR_NONE)
|
|
+ return grub_errno;
|
|
+
|
|
du[0] = data->dc_value[id] * (int) data->quan_table[qt][0];
|
|
pos = 1;
|
|
while (pos < ARRAY_SIZE (data->quan_table[qt]))
|
|
@@ -527,11 +567,13 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
|
|
num >>= 4;
|
|
pos += num;
|
|
|
|
+ if (grub_errno != GRUB_ERR_NONE)
|
|
+ return grub_errno;
|
|
+
|
|
if (pos >= ARRAY_SIZE (jpeg_zigzag_order))
|
|
{
|
|
- grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
|
- "jpeg: invalid position in zigzag order!?");
|
|
- return;
|
|
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
|
+ "jpeg: invalid position in zigzag order!?");
|
|
}
|
|
|
|
du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];
|
|
@@ -539,6 +581,7 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
|
|
}
|
|
|
|
grub_jpeg_idct_transform (du);
|
|
+ return GRUB_ERR_NONE;
|
|
}
|
|
|
|
static void
|
|
@@ -597,7 +640,8 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
|
|
data_offset += grub_jpeg_get_word (data);
|
|
|
|
cc = grub_jpeg_get_byte (data);
|
|
-
|
|
+ if (grub_errno != GRUB_ERR_NONE)
|
|
+ return grub_errno;
|
|
if (cc != 3 && cc != 1)
|
|
return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
|
"jpeg: component count must be 1 or 3");
|
|
@@ -610,7 +654,8 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
|
|
id = grub_jpeg_get_byte (data) - 1;
|
|
if ((id < 0) || (id >= 3))
|
|
return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid index");
|
|
-
|
|
+ if (grub_errno != GRUB_ERR_NONE)
|
|
+ return grub_errno;
|
|
ht = grub_jpeg_get_byte (data);
|
|
data->comp_index[id][1] = (ht >> 4);
|
|
data->comp_index[id][2] = (ht & 0xF) + 2;
|
|
@@ -618,11 +663,14 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
|
|
if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) ||
|
|
(data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3))
|
|
return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index");
|
|
+ if (grub_errno != GRUB_ERR_NONE)
|
|
+ return grub_errno;
|
|
}
|
|
|
|
grub_jpeg_get_byte (data); /* Skip 3 unused bytes. */
|
|
grub_jpeg_get_word (data);
|
|
-
|
|
+ if (grub_errno != GRUB_ERR_NONE)
|
|
+ return grub_errno;
|
|
if (data->file->offset != data_offset)
|
|
return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: extra byte in sos");
|
|
|
|
@@ -640,6 +688,7 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
|
|
{
|
|
unsigned c1, vb, hb, nr1, nc1;
|
|
int rst = data->dri;
|
|
+ grub_err_t err = GRUB_ERR_NONE;
|
|
|
|
vb = 8 << data->log_vs;
|
|
hb = 8 << data->log_hs;
|
|
@@ -660,17 +709,22 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
|
|
|
|
for (r2 = 0; r2 < (1U << data->log_vs); r2++)
|
|
for (c2 = 0; c2 < (1U << data->log_hs); c2++)
|
|
- grub_jpeg_decode_du (data, 0, data->ydu[r2 * 2 + c2]);
|
|
+ {
|
|
+ err = grub_jpeg_decode_du (data, 0, data->ydu[r2 * 2 + c2]);
|
|
+ if (err != GRUB_ERR_NONE)
|
|
+ return err;
|
|
+ }
|
|
|
|
if (data->color_components >= 3)
|
|
{
|
|
- grub_jpeg_decode_du (data, 1, data->cbdu);
|
|
- grub_jpeg_decode_du (data, 2, data->crdu);
|
|
+ err = grub_jpeg_decode_du (data, 1, data->cbdu);
|
|
+ if (err != GRUB_ERR_NONE)
|
|
+ return err;
|
|
+ err = grub_jpeg_decode_du (data, 2, data->crdu);
|
|
+ if (err != GRUB_ERR_NONE)
|
|
+ return err;
|
|
}
|
|
|
|
- if (grub_errno)
|
|
- return grub_errno;
|
|
-
|
|
nr2 = (data->r1 == nr1 - 1) ? (data->image_height - data->r1 * vb) : vb;
|
|
nc2 = (c1 == nc1 - 1) ? (data->image_width - c1 * hb) : hb;
|
|
|
|
--
|
|
2.34.1
|
|
|