meta/recipes-bsp/grub/files/CVE-2022-2601.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

From e8060722acf0bcca037982d7fb29472363ccdfd4 Mon Sep 17 00:00:00 2001
From: Zhang Boyang <zhangboyang.id@gmail.com>
Date: Fri, 5 Aug 2022 01:58:27 +0800
Subject: [PATCH] font: Fix several integer overflows in
 grub_font_construct_glyph()

This patch fixes several integer overflows in grub_font_construct_glyph().
Glyphs of invalid size, zero or leading to an overflow, are rejected.
The inconsistency between "glyph" and "max_glyph_size" when grub_malloc()
returns NULL is fixed too.

Fixes: CVE-2022-2601

Reported-by: Zhang Boyang <zhangboyang.id@gmail.com>
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

Upstream-Status: Backport from
[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=768e1ef2fc159f6e14e7246e4be09363708ac39e]
CVE: CVE-2022-2601

Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>

---
 grub-core/font/font.c | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/grub-core/font/font.c b/grub-core/font/font.c
index 876b5b6..0ff5525 100644
--- a/grub-core/font/font.c
+++ b/grub-core/font/font.c
@@ -1515,6 +1515,7 @@ grub_font_construct_glyph (grub_font_t hinted_font,
   struct grub_video_signed_rect bounds;
   static struct grub_font_glyph *glyph = 0;
   static grub_size_t max_glyph_size = 0;
+  grub_size_t cur_glyph_size;
 
   ensure_comb_space (glyph_id);
 
@@ -1531,29 +1532,33 @@ grub_font_construct_glyph (grub_font_t hinted_font,
   if (!glyph_id->ncomb && !glyph_id->attributes)
     return main_glyph;
 
-  if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT)
+  if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) ||
+      grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size))
+    return main_glyph;
+
+  if (max_glyph_size < cur_glyph_size)
     {
       grub_free (glyph);
-      max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2;
-      if (max_glyph_size < 8)
-	max_glyph_size = 8;
-      glyph = grub_malloc (max_glyph_size);
+      if (grub_mul (cur_glyph_size, 2, &max_glyph_size))
+	max_glyph_size = 0;
+      glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL;
     }
   if (!glyph)
     {
+      max_glyph_size = 0;
       grub_errno = GRUB_ERR_NONE;
       return main_glyph;
     }
 
-  grub_memset (glyph, 0, sizeof (*glyph)
-	       + (bounds.width * bounds.height
-		  + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT);
+  grub_memset (glyph, 0, cur_glyph_size);
 
   glyph->font = main_glyph->font;
-  glyph->width = bounds.width;
-  glyph->height = bounds.height;
-  glyph->offset_x = bounds.x;
-  glyph->offset_y = bounds.y;
+  if (bounds.width == 0 || bounds.height == 0 ||
+      grub_cast (bounds.width, &glyph->width) ||
+      grub_cast (bounds.height, &glyph->height) ||
+      grub_cast (bounds.x, &glyph->offset_x) ||
+      grub_cast (bounds.y, &glyph->offset_y))
+    return main_glyph;
 
   if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR)
     grub_font_blit_glyph_mirror (glyph, main_glyph,