From 34b85a6e07014383ddcad09f99ff239ad752dd1a Mon Sep 17 00:00:00 2001
|
From: Daniel Axtens <dja@axtens.net>
|
Date: Fri, 15 Jan 2021 13:29:53 +1100
|
Subject: [PATCH] video/readers/jpeg: Catch OOB reads/writes in
|
grub_jpeg_decode_du()
|
|
The key line is:
|
|
du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];
|
|
jpeg_zigzag_order is grub_uint8_t[64].
|
|
I don't understand JPEG decoders quite well enough to explain what's
|
going on here. However, I observe sometimes pos=64, which leads to an
|
OOB read of the jpeg_zigzag_order global then an OOB write to du.
|
That leads to various unpleasant memory corruption conditions.
|
|
Catch where pos >= ARRAY_SIZE(jpeg_zigzag_order) and bail.
|
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
|
---
|
grub-core/video/readers/jpeg.c | 8 ++++++++
|
1 file changed, 8 insertions(+)
|
|
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
|
index 23f919a..e514812 100644
|
--- a/grub-core/video/readers/jpeg.c
|
+++ b/grub-core/video/readers/jpeg.c
|
@@ -526,6 +526,14 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
|
val = grub_jpeg_get_number (data, num & 0xF);
|
num >>= 4;
|
pos += num;
|
+
|
+ if (pos >= ARRAY_SIZE (jpeg_zigzag_order))
|
+ {
|
+ grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
+ "jpeg: invalid position in zigzag order!?");
|
+ return;
|
+ }
|
+
|
du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];
|
pos++;
|
}
|
--
|
2.14.2
|
