| From 8338a8238f08d9f3ae4c2ddfff0603eff80af9e2 Mon Sep 17 00:00:00 2001 |
| From: Daniel Axtens <dja@axtens.net> |
| Date: Fri, 15 Jan 2021 14:06:46 +1100 |
| Subject: [PATCH] video/readers/jpeg: Don't decode data before start of stream |
| |
| When a start of stream marker is encountered, we call grub_jpeg_decode_sos() |
| which allocates space for a bitmap. |
| |
| When a restart marker is encountered, we call grub_jpeg_decode_data() which |
| then fills in that bitmap. |
| |
| If we get a restart marker before the start of stream marker, we will |
| attempt to write to a bitmap_ptr that hasn't been allocated. Catch this |
| and bail out. This fixes an attempt to write to NULL. |
| |
| Signed-off-by: Daniel Axtens <dja@axtens.net> |
| Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
| Signed-off-by: Stefan SΓΈrensen <stefan.sorensen@spectralink.com> |
| --- |
| grub-core/video/readers/jpeg.c | 4 ++++ |
| 1 file changed, 4 insertions(+) |
| |
| diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c |
| index e514812..e31602f 100644 |
| --- a/grub-core/video/readers/jpeg.c |
| +++ b/grub-core/video/readers/jpeg.c |
| @@ -646,6 +646,10 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data) |
| nr1 = (data->image_height + vb - 1) >> (3 + data->log_vs); |
| nc1 = (data->image_width + hb - 1) >> (3 + data->log_hs); |
| |
| + if (data->bitmap_ptr == NULL) |
| + return grub_error(GRUB_ERR_BAD_FILE_TYPE, |
| + "jpeg: attempted to decode data before start of stream"); |
| + |
| for (; data->r1 < nr1 && (!data->dri || rst); |
| data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) |
| for (c1 = 0; c1 < nc1 && (!data->dri || rst); |
| -- |
| 2.14.2 |
| |