boot/grub2/0099-video-readers-jpeg-Catch-files-with-unsupported-quan.patch - buildroot - Git at Google

 From 693989598fd38c3c0b2a928f4f64865b5681762f Mon Sep 17 00:00:00 2001
 From: Daniel Axtens <dja@axtens.net>
 Date: Fri, 15 Jan 2021 12:57:04 +1100
 Subject: [PATCH] video/readers/jpeg: Catch files with unsupported quantization
  or Huffman tables

 Our decoder only supports 2 quantization tables. If a file asks for
 a quantization table with index > 1, reject it.

 Similarly, our decoder only supports 4 Huffman tables. If a file asks
 for a Huffman table with index > 3, reject it.

 This fixes some out of bounds reads. It's not clear what degree of control
 over subsequent execution could be gained by someone who can carefully
 set up the contents of memory before loading an invalid JPEG file.

 Signed-off-by: Daniel Axtens <dja@axtens.net>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
 ---
  grub-core/video/readers/jpeg.c | 8 ++++++++
  1 file changed, 8 insertions(+)

 diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
 index 0b6ce3c..23f919a 100644
 --- a/grub-core/video/readers/jpeg.c
 +++ b/grub-core/video/readers/jpeg.c
 @@ -333,7 +333,11 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
        else if (ss != JPEG_SAMPLING_1x1)
  	return grub_error (GRUB_ERR_BAD_FILE_TYPE,
  			   "jpeg: sampling method not supported");
 +
        data->comp_index[id][0] = grub_jpeg_get_byte (data);
 +      if (data->comp_index[id][0] > 1)
 +	return grub_error (GRUB_ERR_BAD_FILE_TYPE,
 +			   "jpeg: too many quantization tables");
      }

    if (data->file->offset != next_marker)
 @@ -602,6 +606,10 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
        ht = grub_jpeg_get_byte (data);
        data->comp_index[id][1] = (ht >> 4);
        data->comp_index[id][2] = (ht & 0xF) + 2;
 +
 +      if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) ||
 +	  (data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3))
 +	return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index");
      }

    grub_jpeg_get_byte (data);	/* Skip 3 unused bytes.  */
 --
 2.14.2
	From 693989598fd38c3c0b2a928f4f64865b5681762f Mon Sep 17 00:00:00 2001
	From: Daniel Axtens <dja@axtens.net>
	Date: Fri, 15 Jan 2021 12:57:04 +1100
	Subject: [PATCH] video/readers/jpeg: Catch files with unsupported quantization
	or Huffman tables

	Our decoder only supports 2 quantization tables. If a file asks for
	a quantization table with index > 1, reject it.

	Similarly, our decoder only supports 4 Huffman tables. If a file asks
	for a Huffman table with index > 3, reject it.

	This fixes some out of bounds reads. It's not clear what degree of control
	over subsequent execution could be gained by someone who can carefully
	set up the contents of memory before loading an invalid JPEG file.

	Signed-off-by: Daniel Axtens <dja@axtens.net>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
	---
	grub-core/video/readers/jpeg.c \| 8 ++++++++
	1 file changed, 8 insertions(+)

	diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
	index 0b6ce3c..23f919a 100644
	--- a/grub-core/video/readers/jpeg.c
	+++ b/grub-core/video/readers/jpeg.c
	@@ -333,7 +333,11 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
	else if (ss != JPEG_SAMPLING_1x1)
	return grub_error (GRUB_ERR_BAD_FILE_TYPE,
	"jpeg: sampling method not supported");
	+
	data->comp_index[id][0] = grub_jpeg_get_byte (data);
	+ if (data->comp_index[id][0] > 1)
	+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
	+ "jpeg: too many quantization tables");
	}

	if (data->file->offset != next_marker)
	@@ -602,6 +606,10 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
	ht = grub_jpeg_get_byte (data);
	data->comp_index[id][1] = (ht >> 4);
	data->comp_index[id][2] = (ht & 0xF) + 2;
	+
	+ if ((data->comp_index[id][1] < 0) \|\| (data->comp_index[id][1] > 3) \|\|
	+ (data->comp_index[id][2] < 0) \|\| (data->comp_index[id][2] > 3))
	+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index");
	}

	grub_jpeg_get_byte (data); /* Skip 3 unused bytes. */
	--
	2.14.2