登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
20 Star 0 Fork 83

openEuler-RISC-V / grub2

forked from src-openEuler / grub2 
代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
backport-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch 2.61 KB
一键复制 编辑 原始数据 按行查看 历史
sun_hai 提交于 2022-06-21 13:54 . fix CVE-2021-3697 CVE-2022-28735 CVE-2022-28736 CVE-2022-28734 CVE-20…
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879
From 22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6 Mon Sep 17 00:00:00 2001

From: Daniel Axtens <dja@axtens.net>

Date: Wed, 7 Jul 2021 15:38:19 +1000

Subject: video/readers/jpeg: Block int underflow -> wild pointer write



Certain 1 px wide images caused a wild pointer write in

grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(),

we have the following loop:



for (; data->r1 < nr1 && (!data->dri || rst);

     data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)



We did not check if vb * width >= hb * nc1.



On a 64-bit platform, if that turns out to be negative, it will underflow,

be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so

we see data->bitmap_ptr jump, e.g.:



0x6180_0000_0480 to

0x6181_0000_0498

     ^

     ~--- carry has occurred and this pointer is now far away from

          any object.



On a 32-bit platform, it will decrement the pointer, creating a pointer

that won't crash but will overwrite random data.



Catch the underflow and error out.



Fixes: CVE-2021-3697



Reference:https://git.savannah.gnu.org/cgit/grub.git/commit/?id=22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6

Conflict:NA



Signed-off-by: Daniel Axtens <dja@axtens.net>

Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

---

 grub-core/video/readers/jpeg.c | 10 +++++++++-

 1 file changed, 9 insertions(+), 1 deletion(-)



diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c

index 579bbe8..09596fb 100644

--- a/grub-core/video/readers/jpeg.c

+++ b/grub-core/video/readers/jpeg.c

@@ -23,6 +23,7 @@

 #include <grub/mm.h>

 #include <grub/misc.h>

 #include <grub/bufio.h>

+#include <grub/safemath.h>

 

 GRUB_MOD_LICENSE ("GPLv3+");

 

@@ -699,6 +700,7 @@ static grub_err_t

 grub_jpeg_decode_data (struct grub_jpeg_data *data)

 {

   unsigned c1, vb, hb, nr1, nc1;

+  unsigned stride_a, stride_b, stride;

   int rst = data->dri;

   grub_err_t err = GRUB_ERR_NONE;

 

@@ -711,8 +713,14 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)

     return grub_error (GRUB_ERR_BAD_FILE_TYPE,

 		       "jpeg: attempted to decode data before start of stream");

 

+  if (grub_mul(vb, data->image_width, &stride_a) ||

+      grub_mul(hb, nc1, &stride_b) ||

+      grub_sub(stride_a, stride_b, &stride))

+    return grub_error (GRUB_ERR_BAD_FILE_TYPE,

+		       "jpeg: cannot decode image with these dimensions");

+

   for (; data->r1 < nr1 && (!data->dri || rst);

-       data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)

+       data->r1++, data->bitmap_ptr += stride * 3)

     for (c1 = 0;  c1 < nc1 && (!data->dri || rst);

 	c1++, rst--, data->bitmap_ptr += hb * 3)

       {

-- 

cgit v1.1
1
https://gitee.com/openeuler-risc-v/grub2.git
git@gitee.com:openeuler-risc-v/grub2.git
openeuler-risc-v
grub2
grub2
master
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
仓库举报
回到顶部