diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2021-3697-video-readers-jpeg-Block-int-underflow-wild-pointer.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2021-3697-video-readers-jpeg-Block-int-underflow-wild-pointer.patch | 84 |
1 files changed, 0 insertions, 84 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3697-video-readers-jpeg-Block-int-underflow-wild-pointer.patch b/meta/recipes-bsp/grub/files/CVE-2021-3697-video-readers-jpeg-Block-int-underflow-wild-pointer.patch deleted file mode 100644 index e9fc52df86..0000000000 --- a/meta/recipes-bsp/grub/files/CVE-2021-3697-video-readers-jpeg-Block-int-underflow-wild-pointer.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6 Mon Sep 17 00:00:00 2001 -From: Daniel Axtens <dja@axtens.net> -Date: Wed, 7 Jul 2021 15:38:19 +1000 -Subject: [PATCH] video/readers/jpeg: Block int underflow -> wild pointer write - -Certain 1 px wide images caused a wild pointer write in -grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(), -we have the following loop: - -for (; data->r1 < nr1 && (!data->dri || rst); - data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) - -We did not check if vb * width >= hb * nc1. - -On a 64-bit platform, if that turns out to be negative, it will underflow, -be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so -we see data->bitmap_ptr jump, e.g.: - -0x6180_0000_0480 to -0x6181_0000_0498 - ^ - ~--- carry has occurred and this pointer is now far away from - any object. - -On a 32-bit platform, it will decrement the pointer, creating a pointer -that won't crash but will overwrite random data. - -Catch the underflow and error out. - -Fixes: CVE-2021-3697 - -Signed-off-by: Daniel Axtens <dja@axtens.net> -Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> - -Upstream-Status: Backport -CVE: CVE-2021-3697 - -Reference to upstream patch: -https://git.savannah.gnu.org/cgit/grub.git/commit/?id=22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6 - -Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> ---- - grub-core/video/readers/jpeg.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c -index 579bbe8a4..09596fbf5 100644 ---- a/grub-core/video/readers/jpeg.c -+++ b/grub-core/video/readers/jpeg.c -@@ -23,6 +23,7 @@ - #include <grub/mm.h> - #include <grub/misc.h> - #include <grub/bufio.h> -+#include <grub/safemath.h> - - GRUB_MOD_LICENSE ("GPLv3+"); - -@@ -699,6 +700,7 @@ static grub_err_t - grub_jpeg_decode_data (struct grub_jpeg_data *data) - { - unsigned c1, vb, hb, nr1, nc1; -+ unsigned stride_a, stride_b, stride; - int rst = data->dri; - grub_err_t err = GRUB_ERR_NONE; - -@@ -711,8 +713,14 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data) - return grub_error (GRUB_ERR_BAD_FILE_TYPE, - "jpeg: attempted to decode data before start of stream"); - -+ if (grub_mul(vb, data->image_width, &stride_a) || -+ grub_mul(hb, nc1, &stride_b) || -+ grub_sub(stride_a, stride_b, &stride)) -+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, -+ "jpeg: cannot decode image with these dimensions"); -+ - for (; data->r1 < nr1 && (!data->dri || rst); -- data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) -+ data->r1++, data->bitmap_ptr += stride * 3) - for (c1 = 0; c1 < nc1 && (!data->dri || rst); - c1++, rst--, data->bitmap_ptr += hb * 3) - { --- -2.34.1 - |