SHA256
1
0
forked from pool/grub2
grub2/0006-font-Fix-integer-overflow-in-BMP-index.patch
Michael Chang fd4fd3a935 Accepting request 1035936 from home:michael-chang:branches:Base:System
- Security fixes and hardenings
  * 0001-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch
  * 0002-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
- Fix CVE-2022-2601 (bsc#1205178)
  * 0003-font-Fix-several-integer-overflows-in-grub_font_cons.patch
  * 0004-font-Remove-grub_font_dup_glyph.patch
  * 0005-font-Fix-integer-overflow-in-ensure_comb_space.patch
  * 0006-font-Fix-integer-overflow-in-BMP-index.patch
  * 0007-font-Fix-integer-underflow-in-binary-search-of-char-.patch
  * 0008-fbutil-Fix-integer-overflow.patch
- Fix CVE-2022-3775 (bsc#1205182)
  * 0009-font-Fix-an-integer-underflow-in-blit_comb.patch
  * 0010-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch
  * 0011-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
  * 0012-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch
- Bump upstream SBAT generation to 3

OBS-URL: https://build.opensuse.org/request/show/1035936
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=426
2022-11-16 03:21:13 +00:00

66 lines
2.3 KiB
Diff

From a97e0ae72604fbd4ebea854ffee127ed59b10f75 Mon Sep 17 00:00:00 2001
From: Zhang Boyang <zhangboyang.id@gmail.com>
Date: Mon, 15 Aug 2022 02:04:58 +0800
Subject: [PATCH 06/12] font: Fix integer overflow in BMP index
The BMP index (font->bmp_idx) is designed as a reverse lookup table of
char entries (font->char_index), in order to speed up lookups for BMP
chars (i.e. code < 0x10000). The values in BMP index are the subscripts
of the corresponding char entries, stored in grub_uint16_t, while 0xffff
means not found.
This patch fixes the problem of large subscript truncated to grub_uint16_t,
leading BMP index to return wrong char entry or report false miss. The
code now checks for bounds and uses BMP index as a hint, and fallbacks
to binary-search if necessary.
On the occasion add a comment about BMP index is initialized to 0xffff.
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/font/font.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
index d0e634040..b208a2871 100644
--- a/grub-core/font/font.c
+++ b/grub-core/font/font.c
@@ -300,6 +300,8 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct
font->bmp_idx = grub_malloc (0x10000 * sizeof (grub_uint16_t));
if (!font->bmp_idx)
return 1;
+
+ /* Init the BMP index array to 0xffff. */
grub_memset (font->bmp_idx, 0xff, 0x10000 * sizeof (grub_uint16_t));
@@ -328,7 +330,7 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct
return 1;
}
- if (entry->code < 0x10000)
+ if (entry->code < 0x10000 && i < 0xffff)
font->bmp_idx[entry->code] = i;
last_code = entry->code;
@@ -696,9 +698,12 @@ find_glyph (const grub_font_t font, grub_uint32_t code)
/* Use BMP index if possible. */
if (code < 0x10000 && font->bmp_idx)
{
- if (font->bmp_idx[code] == 0xffff)
- return 0;
- return &table[font->bmp_idx[code]];
+ if (font->bmp_idx[code] < 0xffff)
+ return &table[font->bmp_idx[code]];
+ /*
+ * When we are here then lookup in BMP index result in miss,
+ * fallthough to binary-search.
+ */
}
/* Do a binary search in `char_index', which is ordered by code point. */
--
2.35.3