forked from pool/grub2
fd4fd3a935
- Security fixes and hardenings * 0001-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch * 0002-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch - Fix CVE-2022-2601 (bsc#1205178) * 0003-font-Fix-several-integer-overflows-in-grub_font_cons.patch * 0004-font-Remove-grub_font_dup_glyph.patch * 0005-font-Fix-integer-overflow-in-ensure_comb_space.patch * 0006-font-Fix-integer-overflow-in-BMP-index.patch * 0007-font-Fix-integer-underflow-in-binary-search-of-char-.patch * 0008-fbutil-Fix-integer-overflow.patch - Fix CVE-2022-3775 (bsc#1205182) * 0009-font-Fix-an-integer-underflow-in-blit_comb.patch * 0010-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch * 0011-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch * 0012-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch - Bump upstream SBAT generation to 3 OBS-URL: https://build.opensuse.org/request/show/1035936 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=426
92 lines
3.9 KiB
Diff
92 lines
3.9 KiB
Diff
From 79924f56f5062c1bae972fd6cd8f38e56980f34d Mon Sep 17 00:00:00 2001
|
|
From: Zhang Boyang <zhangboyang.id@gmail.com>
|
|
Date: Mon, 24 Oct 2022 08:05:35 +0800
|
|
Subject: [PATCH 09/12] font: Fix an integer underflow in blit_comb()
|
|
|
|
The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
|
|
evaluate to a very big invalid value even if both ctx.bounds.height and
|
|
combining_glyphs[i]->height are small integers. For example, if
|
|
ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
|
|
expression evaluates to 2147483647 (expected -1). This is because
|
|
coordinates are allowed to be negative but ctx.bounds.height is an
|
|
unsigned int. So, the subtraction operates on unsigned ints and
|
|
underflows to a very big value. The division makes things even worse.
|
|
The quotient is still an invalid value even if converted back to int.
|
|
|
|
This patch fixes the problem by casting ctx.bounds.height to int. As
|
|
a result the subtraction will operate on int and grub_uint16_t which
|
|
will be promoted to an int. So, the underflow will no longer happen. Other
|
|
uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
|
|
to ensure coordinates are always calculated on signed integers.
|
|
|
|
Fixes: CVE-2022-3775
|
|
|
|
Reported-by: Daniel Axtens <dja@axtens.net>
|
|
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/font/font.c | 16 ++++++++--------
|
|
1 file changed, 8 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
|
|
index 193dfec04..12a5f0d08 100644
|
|
--- a/grub-core/font/font.c
|
|
+++ b/grub-core/font/font.c
|
|
@@ -1203,12 +1203,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
|
|
ctx.bounds.height = main_glyph->height;
|
|
|
|
above_rightx = main_glyph->offset_x + main_glyph->width;
|
|
- above_righty = ctx.bounds.y + ctx.bounds.height;
|
|
+ above_righty = ctx.bounds.y + (int) ctx.bounds.height;
|
|
|
|
above_leftx = main_glyph->offset_x;
|
|
- above_lefty = ctx.bounds.y + ctx.bounds.height;
|
|
+ above_lefty = ctx.bounds.y + (int) ctx.bounds.height;
|
|
|
|
- below_rightx = ctx.bounds.x + ctx.bounds.width;
|
|
+ below_rightx = ctx.bounds.x + (int) ctx.bounds.width;
|
|
below_righty = ctx.bounds.y;
|
|
|
|
comb = grub_unicode_get_comb (glyph_id);
|
|
@@ -1221,7 +1221,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
|
|
|
|
if (!combining_glyphs[i])
|
|
continue;
|
|
- targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
|
|
+ targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
|
|
/* CGJ is to avoid diacritics reordering. */
|
|
if (comb[i].code
|
|
== GRUB_UNICODE_COMBINING_GRAPHEME_JOINER)
|
|
@@ -1231,8 +1231,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
|
|
case GRUB_UNICODE_COMB_OVERLAY:
|
|
do_blit (combining_glyphs[i],
|
|
targetx,
|
|
- (ctx.bounds.height - combining_glyphs[i]->height) / 2
|
|
- - (ctx.bounds.height + ctx.bounds.y), &ctx);
|
|
+ ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2
|
|
+ - ((int) ctx.bounds.height + ctx.bounds.y), &ctx);
|
|
if (min_devwidth < combining_glyphs[i]->width)
|
|
min_devwidth = combining_glyphs[i]->width;
|
|
break;
|
|
@@ -1305,7 +1305,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
|
|
/* Fallthrough. */
|
|
case GRUB_UNICODE_STACK_ATTACHED_ABOVE:
|
|
do_blit (combining_glyphs[i], targetx,
|
|
- -(ctx.bounds.height + ctx.bounds.y + space
|
|
+ -((int) ctx.bounds.height + ctx.bounds.y + space
|
|
+ combining_glyphs[i]->height), &ctx);
|
|
if (min_devwidth < combining_glyphs[i]->width)
|
|
min_devwidth = combining_glyphs[i]->width;
|
|
@@ -1313,7 +1313,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
|
|
|
|
case GRUB_UNICODE_COMB_HEBREW_DAGESH:
|
|
do_blit (combining_glyphs[i], targetx,
|
|
- -(ctx.bounds.height / 2 + ctx.bounds.y
|
|
+ -((int) ctx.bounds.height / 2 + ctx.bounds.y
|
|
+ combining_glyphs[i]->height / 2), &ctx);
|
|
if (min_devwidth < combining_glyphs[i]->width)
|
|
min_devwidth = combining_glyphs[i]->width;
|
|
--
|
|
2.35.3
|
|
|