rpm/grub2
SHA256
1
0
Fork 0
forked from pool/grub2
Code Pull Requests Activity
448b5a32b0
grub2/0011-video-readers-png-Sanity-check-some-huffman-codes.patch
Michael Chang e016790fe1 Accepting request 981228 from home:michael-chang:branches:Base:System 
- Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581)
  * 0001-video-Remove-trailing-whitespaces.patch
  * 0002-loader-efi-chainloader-Simplify-the-loader-state.patch
  * 0003-commands-boot-Add-API-to-pass-context-to-loader.patch
- Fix CVE-2022-28736 (bsc#1198496)
  * 0004-loader-efi-chainloader-Use-grub_loader_set_ex.patch
- Fix CVE-2022-28735 (bsc#1198495)
  * 0005-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch
  * 0006-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch
  * 0007-video-readers-png-Abort-sooner-if-a-read-operation-f.patch
  * 0008-video-readers-png-Refuse-to-handle-multiple-image-he.patch
- Fix CVE-2021-3695 (bsc#1191184)
  * 0009-video-readers-png-Drop-greyscale-support-to-fix-heap.patch
- Fix CVE-2021-3696 (bsc#1191185)
  * 0010-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch
  * 0011-video-readers-png-Sanity-check-some-huffman-codes.patch
  * 0012-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch
  * 0013-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch
  * 0014-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch
- Fix CVE-2021-3697 (bsc#1191186)
  * 0015-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch
  * 0016-normal-charset-Fix-array-out-of-bounds-formatting-un.patch
- Fix CVE-2022-28733 (bsc#1198460)
  * 0017-net-ip-Do-IP-fragment-maths-safely.patch
  * 0018-net-netbuff-Block-overly-large-netbuff-allocs.patch
  * 0019-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch
  * 0020-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch
  * 0021-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch
  * 0022-net-tftp-Avoid-a-trivial-UAF.patch
  * 0023-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch

OBS-URL: https://build.opensuse.org/request/show/981228
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=416
2022-06-08 03:04:17 +00:00

43 lines
1.4 KiB
Diff
Raw Blame History

From bbbb410d5d7d29d935e7108c77a0368e4e007a43 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Tue, 6 Jul 2021 19:19:11 +1000
Subject: [PATCH 11/32] video/readers/png: Sanity check some huffman codes
ASAN picked up two OOB global reads: we weren't checking if some code
values fit within the cplens or cpdext arrays. Check and throw an error
if not.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/video/readers/png.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
index d7ed5aa6cf..7f2ba7849b 100644
--- a/grub-core/video/readers/png.c
+++ b/grub-core/video/readers/png.c
@@ -753,6 +753,9 @@ grub_png_read_dynamic_block (struct grub_png_data *data)
int len, dist, pos;
n -= 257;
+ if (((unsigned int) n) >= ARRAY_SIZE (cplens))
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ "png: invalid huff code");
len = cplens[n];
if (cplext[n])
len += grub_png_get_bits (data, cplext[n]);
@@ -760,6 +763,9 @@ grub_png_read_dynamic_block (struct grub_png_data *data)
return grub_errno;
n = grub_png_get_huff_code (data, &data->dist_table);
+ if (((unsigned int) n) >= ARRAY_SIZE (cpdist))
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ "png: invalid huff code");
dist = cpdist[n];
if (cpdext[n])
dist += grub_png_get_bits (data, cpdext[n]);
--
2.34.1
View Git Blame Copy Permalink