diff options
| author |   Marta Rybczynska <rybczynska@gmail.com> | 2022-02-18 11:05:43 +0100 |
|---|---|---|
| committer |   Steve Sakoman <steve@sakoman.com> | 2022-02-23 05:00:42 -1000 |
| commit | d8cdb3a17f6e874d232979307a3f25511172d086 (patch) | |
| tree | 93af67396b8934d71132e1ff0f8d555076af33ed /meta | |
| parent | d15e7cc6fc7de358da2fd1faa8a8ea5bc2fabe98 (diff) | |
| download | openembedded-core-contrib-d8cdb3a17f6e874d232979307a3f25511172d086.tar.gz | |
grub: test for malformed jpeg files
This patch adds a fix for handling malformed JPEG files in grub's
video/readers/jpeg. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch | 38 | ||||
| -rw-r--r-- | meta/recipes-bsp/grub/grub2.inc | 1 |
2 files changed, 39 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch b/meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch new file mode 100644 index 0000000000..3fca2aecb5 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch @@ -0,0 +1,38 @@ +From 88361a7fd4e481a76e1159a63c9014fa997ef29c Mon Sep 17 00:00:00 2001 +From: Darren Kenny <darren.kenny@oracle.com> +Date: Fri, 4 Dec 2020 15:39:00 +0000 +Subject: [PATCH] video/readers/jpeg: Test for an invalid next marker reference + from a jpeg file + +While it may never happen, and potentially could be caught at the end of +the function, it is worth checking up front for a bad reference to the +next marker just in case of a maliciously crafted file being provided. + +Fixes: CID 73694 + +Signed-off-by: Darren Kenny <darren.kenny@oracle.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5f5eb7ca8e971227e95745abe541df3e1509360e] +Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> +--- + grub-core/video/readers/jpeg.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c +index 31359a4..0b6ce3c 100644 +--- a/grub-core/video/readers/jpeg.c ++++ b/grub-core/video/readers/jpeg.c +@@ -253,6 +253,12 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data) + next_marker = data->file->offset; + next_marker += grub_jpeg_get_word (data); + ++ if (next_marker > data->file->size) ++ { ++ /* Should never be set beyond the size of the file. */ ++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid next reference"); ++ } ++ + while (data->file->offset + sizeof (data->quan_table[id]) + 1 + <= next_marker) + { diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 04c9b4c092..75782b7eb2 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -81,6 +81,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://0032-video-fb-fbfill-Fix-potential-integer-overflow.patch \ file://0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch \ file://0034-video-fb-video_fb-Fix-possible-integer-overflow.patch \ + file://0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch \ " SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" |