diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2021-3696-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2021-3696-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch | 50 |
1 files changed, 0 insertions, 50 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3696-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch b/meta/recipes-bsp/grub/files/CVE-2021-3696-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch deleted file mode 100644 index f06514e665..0000000000 --- a/meta/recipes-bsp/grub/files/CVE-2021-3696-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 210245129c932dc9e1c2748d9d35524fb95b5042 Mon Sep 17 00:00:00 2001 -From: Daniel Axtens <dja@axtens.net> -Date: Tue, 6 Jul 2021 23:25:07 +1000 -Subject: [PATCH] video/readers/png: Avoid heap OOB R/W inserting huff table - items - -In fuzzing we observed crashes where a code would attempt to be inserted -into a huffman table before the start, leading to a set of heap OOB reads -and writes as table entries with negative indices were shifted around and -the new code written in. - -Catch the case where we would underflow the array and bail. - -Fixes: CVE-2021-3696 - -Signed-off-by: Daniel Axtens <dja@axtens.net> -Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> - -Upstream-Status: Backport -CVE: CVE-2021-3696 - -Reference to upstream patch: -https://git.savannah.gnu.org/cgit/grub.git/commit/?id=210245129c932dc9e1c2748d9d35524fb95b5042 - -Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> ---- - grub-core/video/readers/png.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c -index a3161e25b..d7ed5aa6c 100644 ---- a/grub-core/video/readers/png.c -+++ b/grub-core/video/readers/png.c -@@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len) - for (i = len; i < ht->max_length; i++) - n += ht->maxval[i]; - -+ if (n > ht->num_values) -+ { -+ grub_error (GRUB_ERR_BAD_FILE_TYPE, -+ "png: out of range inserting huffman table item"); -+ return; -+ } -+ - for (i = 0; i < n; i++) - ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1]; - --- -2.34.1 - |