forked from pool/grub2
fd4fd3a935
- Security fixes and hardenings * 0001-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch * 0002-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch - Fix CVE-2022-2601 (bsc#1205178) * 0003-font-Fix-several-integer-overflows-in-grub_font_cons.patch * 0004-font-Remove-grub_font_dup_glyph.patch * 0005-font-Fix-integer-overflow-in-ensure_comb_space.patch * 0006-font-Fix-integer-overflow-in-BMP-index.patch * 0007-font-Fix-integer-underflow-in-binary-search-of-char-.patch * 0008-fbutil-Fix-integer-overflow.patch - Fix CVE-2022-3775 (bsc#1205182) * 0009-font-Fix-an-integer-underflow-in-blit_comb.patch * 0010-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch * 0011-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch * 0012-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch - Bump upstream SBAT generation to 3 OBS-URL: https://build.opensuse.org/request/show/1035936 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=426
87 lines
2.4 KiB
Diff
87 lines
2.4 KiB
Diff
From 926f1515608e14c0592fc61a8ef37392d7020ca3 Mon Sep 17 00:00:00 2001
|
|
From: Zhang Boyang <zhangboyang.id@gmail.com>
|
|
Date: Sun, 14 Aug 2022 18:09:38 +0800
|
|
Subject: [PATCH 07/12] font: Fix integer underflow in binary search of char
|
|
index
|
|
|
|
If search target is less than all entries in font->index then "hi"
|
|
variable is set to -1, which translates to SIZE_MAX and leads to errors.
|
|
|
|
This patch fixes the problem by replacing the entire binary search code
|
|
with the libstdc++'s std::lower_bound() implementation.
|
|
|
|
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/font/font.c | 40 ++++++++++++++++++++++------------------
|
|
1 file changed, 22 insertions(+), 18 deletions(-)
|
|
|
|
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
|
|
index b208a2871..193dfec04 100644
|
|
--- a/grub-core/font/font.c
|
|
+++ b/grub-core/font/font.c
|
|
@@ -688,12 +688,12 @@ read_be_int16 (grub_file_t file, grub_int16_t * value)
|
|
static inline struct char_index_entry *
|
|
find_glyph (const grub_font_t font, grub_uint32_t code)
|
|
{
|
|
- struct char_index_entry *table;
|
|
- grub_size_t lo;
|
|
- grub_size_t hi;
|
|
- grub_size_t mid;
|
|
+ struct char_index_entry *table, *first, *end;
|
|
+ grub_size_t len;
|
|
|
|
table = font->char_index;
|
|
+ if (table == NULL)
|
|
+ return NULL;
|
|
|
|
/* Use BMP index if possible. */
|
|
if (code < 0x10000 && font->bmp_idx)
|
|
@@ -706,25 +706,29 @@ find_glyph (const grub_font_t font, grub_uint32_t code)
|
|
*/
|
|
}
|
|
|
|
- /* Do a binary search in `char_index', which is ordered by code point. */
|
|
- lo = 0;
|
|
- hi = font->num_chars - 1;
|
|
-
|
|
- if (!table)
|
|
- return 0;
|
|
+ /*
|
|
+ * Do a binary search in char_index which is ordered by code point.
|
|
+ * The code below is the same as libstdc++'s std::lower_bound().
|
|
+ */
|
|
+ first = table;
|
|
+ len = font->num_chars;
|
|
+ end = first + len;
|
|
|
|
- while (lo <= hi)
|
|
+ while (len > 0)
|
|
{
|
|
- mid = lo + (hi - lo) / 2;
|
|
- if (code < table[mid].code)
|
|
- hi = mid - 1;
|
|
- else if (code > table[mid].code)
|
|
- lo = mid + 1;
|
|
+ grub_size_t half = len >> 1;
|
|
+ struct char_index_entry *middle = first + half;
|
|
+
|
|
+ if (middle->code < code)
|
|
+ {
|
|
+ first = middle + 1;
|
|
+ len = len - half - 1;
|
|
+ }
|
|
else
|
|
- return &table[mid];
|
|
+ len = half;
|
|
}
|
|
|
|
- return 0;
|
|
+ return (first < end && first->code == code) ? first : NULL;
|
|
}
|
|
|
|
/* Get a glyph for the Unicode character CODE in FONT. The glyph is loaded
|
|
--
|
|
2.35.3
|
|
|