| From 34b85a6e07014383ddcad09f99ff239ad752dd1a Mon Sep 17 00:00:00 2001 |
| From: Daniel Axtens <dja@axtens.net> |
| Date: Fri, 15 Jan 2021 13:29:53 +1100 |
| Subject: [PATCH] video/readers/jpeg: Catch OOB reads/writes in |
| grub_jpeg_decode_du() |
| |
| The key line is: |
| |
| du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos]; |
| |
| jpeg_zigzag_order is grub_uint8_t[64]. |
| |
| I don't understand JPEG decoders quite well enough to explain what's |
| going on here. However, I observe sometimes pos=64, which leads to an |
| OOB read of the jpeg_zigzag_order global then an OOB write to du. |
| That leads to various unpleasant memory corruption conditions. |
| |
| Catch where pos >= ARRAY_SIZE(jpeg_zigzag_order) and bail. |
| |
| Signed-off-by: Daniel Axtens <dja@axtens.net> |
| Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
| Signed-off-by: Stefan SΓΈrensen <stefan.sorensen@spectralink.com> |
| --- |
| grub-core/video/readers/jpeg.c | 8 ++++++++ |
| 1 file changed, 8 insertions(+) |
| |
| diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c |
| index 23f919a..e514812 100644 |
| --- a/grub-core/video/readers/jpeg.c |
| +++ b/grub-core/video/readers/jpeg.c |
| @@ -526,6 +526,14 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du) |
| val = grub_jpeg_get_number (data, num & 0xF); |
| num >>= 4; |
| pos += num; |
| + |
| + if (pos >= ARRAY_SIZE (jpeg_zigzag_order)) |
| + { |
| + grub_error (GRUB_ERR_BAD_FILE_TYPE, |
| + "jpeg: invalid position in zigzag order!?"); |
| + return; |
| + } |
| + |
| du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos]; |
| pos++; |
| } |
| -- |
| 2.14.2 |
| |