forked from pool/grub2
fd4fd3a935
- Security fixes and hardenings * 0001-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch * 0002-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch - Fix CVE-2022-2601 (bsc#1205178) * 0003-font-Fix-several-integer-overflows-in-grub_font_cons.patch * 0004-font-Remove-grub_font_dup_glyph.patch * 0005-font-Fix-integer-overflow-in-ensure_comb_space.patch * 0006-font-Fix-integer-overflow-in-BMP-index.patch * 0007-font-Fix-integer-underflow-in-binary-search-of-char-.patch * 0008-fbutil-Fix-integer-overflow.patch - Fix CVE-2022-3775 (bsc#1205182) * 0009-font-Fix-an-integer-underflow-in-blit_comb.patch * 0010-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch * 0011-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch * 0012-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch - Bump upstream SBAT generation to 3 OBS-URL: https://build.opensuse.org/request/show/1035936 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=426
66 lines
2.3 KiB
Diff
66 lines
2.3 KiB
Diff
From a97e0ae72604fbd4ebea854ffee127ed59b10f75 Mon Sep 17 00:00:00 2001
|
|
From: Zhang Boyang <zhangboyang.id@gmail.com>
|
|
Date: Mon, 15 Aug 2022 02:04:58 +0800
|
|
Subject: [PATCH 06/12] font: Fix integer overflow in BMP index
|
|
|
|
The BMP index (font->bmp_idx) is designed as a reverse lookup table of
|
|
char entries (font->char_index), in order to speed up lookups for BMP
|
|
chars (i.e. code < 0x10000). The values in BMP index are the subscripts
|
|
of the corresponding char entries, stored in grub_uint16_t, while 0xffff
|
|
means not found.
|
|
|
|
This patch fixes the problem of large subscript truncated to grub_uint16_t,
|
|
leading BMP index to return wrong char entry or report false miss. The
|
|
code now checks for bounds and uses BMP index as a hint, and fallbacks
|
|
to binary-search if necessary.
|
|
|
|
On the occasion add a comment about BMP index is initialized to 0xffff.
|
|
|
|
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/font/font.c | 13 +++++++++----
|
|
1 file changed, 9 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
|
|
index d0e634040..b208a2871 100644
|
|
--- a/grub-core/font/font.c
|
|
+++ b/grub-core/font/font.c
|
|
@@ -300,6 +300,8 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct
|
|
font->bmp_idx = grub_malloc (0x10000 * sizeof (grub_uint16_t));
|
|
if (!font->bmp_idx)
|
|
return 1;
|
|
+
|
|
+ /* Init the BMP index array to 0xffff. */
|
|
grub_memset (font->bmp_idx, 0xff, 0x10000 * sizeof (grub_uint16_t));
|
|
|
|
|
|
@@ -328,7 +330,7 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct
|
|
return 1;
|
|
}
|
|
|
|
- if (entry->code < 0x10000)
|
|
+ if (entry->code < 0x10000 && i < 0xffff)
|
|
font->bmp_idx[entry->code] = i;
|
|
|
|
last_code = entry->code;
|
|
@@ -696,9 +698,12 @@ find_glyph (const grub_font_t font, grub_uint32_t code)
|
|
/* Use BMP index if possible. */
|
|
if (code < 0x10000 && font->bmp_idx)
|
|
{
|
|
- if (font->bmp_idx[code] == 0xffff)
|
|
- return 0;
|
|
- return &table[font->bmp_idx[code]];
|
|
+ if (font->bmp_idx[code] < 0xffff)
|
|
+ return &table[font->bmp_idx[code]];
|
|
+ /*
|
|
+ * When we are here then lookup in BMP index result in miss,
|
|
+ * fallthough to binary-search.
|
|
+ */
|
|
}
|
|
|
|
/* Do a binary search in `char_index', which is ordered by code point. */
|
|
--
|
|
2.35.3
|
|
|