[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 070/117] term/gfxterm: Don't set up a font with glyphs t
From: |
Daniel Kiper |
Subject: |
[SECURITY PATCH 070/117] term/gfxterm: Don't set up a font with glyphs that are too big |
Date: |
Tue, 2 Mar 2021 19:01:17 +0100 |
From: Daniel Axtens <dja@axtens.net>
Catch the case where we have a font so big that it causes the number of
rows or columns to be 0. Currently we continue and allocate a
virtual_screen.text_buffer of size 0. We then try to use that for glpyhs
and things go badly.
On the emu platform, malloc() may give us a valid pointer, in which case
we'll access heap memory which we shouldn't. Alternatively, it may give us
NULL, in which case we'll crash. For other platforms, if I understand
grub_memalign() correctly, we will receive a valid but small allocation
that we will very likely later overrun.
Prevent the creation of a virtual screen that isn't at least 40 cols
by 12 rows. This is arbitrary, but it seems that if your width or height
is half a standard 80x24 terminal, you're probably going to struggle to
read anything anyway.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/term/gfxterm.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/grub-core/term/gfxterm.c b/grub-core/term/gfxterm.c
index af7c090a3..b40fcce91 100644
--- a/grub-core/term/gfxterm.c
+++ b/grub-core/term/gfxterm.c
@@ -232,6 +232,15 @@ grub_virtual_screen_setup (unsigned int x, unsigned int y,
virtual_screen.columns = virtual_screen.width /
virtual_screen.normal_char_width;
virtual_screen.rows = virtual_screen.height /
virtual_screen.normal_char_height;
+ /*
+ * There must be a minimum number of rows and columns for the screen to
+ * make sense. Arbitrarily pick half of 80x24. If either dimensions is 0
+ * we would allocate 0 bytes for the text_buffer.
+ */
+ if (virtual_screen.columns < 40 || virtual_screen.rows < 12)
+ return grub_error (GRUB_ERR_BAD_FONT,
+ "font: glyphs too large to fit on screen");
+
/* Allocate memory for text buffer. */
virtual_screen.text_buffer =
(struct grub_colored_char *) grub_malloc (virtual_screen.columns
--
2.11.0
- [SECURITY PATCH 057/117] util/grub-install: Fix NULL pointer dereferences, (continued)
- [SECURITY PATCH 057/117] util/grub-install: Fix NULL pointer dereferences, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 058/117] util/grub-editenv: Fix incorrect casting of a signed value, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 059/117] util/glue-efi: Fix incorrect use of a possibly negative value, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 062/117] script/execute: Avoid crash when using "$#" outside a function scope, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 060/117] script/execute: Fix NULL dereference in grub_script_execute_cmdline(), Daniel Kiper, 2021/03/02
- [SECURITY PATCH 067/117] video/readers/jpeg: Catch files with unsupported quantization or Huffman tables, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 061/117] commands/ls: Require device_name is not NULL before printing, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 066/117] kern/misc: Always set *end in grub_strtoull(), Daniel Kiper, 2021/03/02
- [SECURITY PATCH 063/117] lib/arg: Block repeated short options that require an argument, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 065/117] commands/menuentry: Fix quoting in setparams_prefix(), Daniel Kiper, 2021/03/02
- [SECURITY PATCH 070/117] term/gfxterm: Don't set up a font with glyphs that are too big,
Daniel Kiper <=
- [SECURITY PATCH 064/117] script/execute: Don't crash on a "for" loop with no items, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 069/117] video/readers/jpeg: Don't decode data before start of stream, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 068/117] video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du(), Daniel Kiper, 2021/03/02
- [SECURITY PATCH 072/117] fs/hfsplus: Don't fetch a key beyond the end of the node, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 071/117] fs/fshelp: Catch impermissibly large block sizes in read helper, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 082/117] io/gzio: Bail if gzio->tl/td is NULL, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 078/117] fs/jfs: Catch infinite recursion, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 073/117] fs/hfsplus: Don't use uninitialized data on corrupt filesystems, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 083/117] io/gzio: Add init_dynamic_block() clean up if unpacking codes fails, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 079/117] fs/nilfs2: Reject too-large keys, Daniel Kiper, 2021/03/02