[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 082/117] io/gzio: Bail if gzio->tl/td is NULL
From: |
Daniel Kiper |
Subject: |
[SECURITY PATCH 082/117] io/gzio: Bail if gzio->tl/td is NULL |
Date: |
Tue, 2 Mar 2021 19:01:29 +0100 |
From: Daniel Axtens <dja@axtens.net>
This is an ugly fix that doesn't address why gzio->tl comes to be NULL.
However, it seems to be sufficient to patch up a bunch of NULL derefs.
It would be good to revisit this in future and see if we can have
a cleaner solution that addresses some of the causes of the unexpected
NULL pointers.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/io/gzio.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c
index 43d98a7bd..4a8eaeae2 100644
--- a/grub-core/io/gzio.c
+++ b/grub-core/io/gzio.c
@@ -669,6 +669,13 @@ inflate_codes_in_window (grub_gzio_t gzio)
{
if (! gzio->code_state)
{
+
+ if (gzio->tl == NULL)
+ {
+ grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "NULL gzio->tl");
+ return 1;
+ }
+
NEEDBITS ((unsigned) gzio->bl);
if ((e = (t = gzio->tl + ((unsigned) b & ml))->e) > 16)
do
@@ -707,6 +714,12 @@ inflate_codes_in_window (grub_gzio_t gzio)
n = t->v.n + ((unsigned) b & mask_bits[e]);
DUMPBITS (e);
+ if (gzio->td == NULL)
+ {
+ grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "NULL gzio->td");
+ return 1;
+ }
+
/* decode distance of block to copy */
NEEDBITS ((unsigned) gzio->bd);
if ((e = (t = gzio->td + ((unsigned) b & md))->e) > 16)
@@ -917,6 +930,13 @@ init_dynamic_block (grub_gzio_t gzio)
n = nl + nd;
m = mask_bits[gzio->bl];
i = l = 0;
+
+ if (gzio->tl == NULL)
+ {
+ grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "NULL gzio->tl");
+ return;
+ }
+
while ((unsigned) i < n)
{
NEEDBITS ((unsigned) gzio->bl);
--
2.11.0
- [SECURITY PATCH 061/117] commands/ls: Require device_name is not NULL before printing, (continued)
- [SECURITY PATCH 061/117] commands/ls: Require device_name is not NULL before printing, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 066/117] kern/misc: Always set *end in grub_strtoull(), Daniel Kiper, 2021/03/02
- [SECURITY PATCH 063/117] lib/arg: Block repeated short options that require an argument, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 065/117] commands/menuentry: Fix quoting in setparams_prefix(), Daniel Kiper, 2021/03/02
- [SECURITY PATCH 070/117] term/gfxterm: Don't set up a font with glyphs that are too big, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 064/117] script/execute: Don't crash on a "for" loop with no items, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 069/117] video/readers/jpeg: Don't decode data before start of stream, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 068/117] video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du(), Daniel Kiper, 2021/03/02
- [SECURITY PATCH 072/117] fs/hfsplus: Don't fetch a key beyond the end of the node, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 071/117] fs/fshelp: Catch impermissibly large block sizes in read helper, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 082/117] io/gzio: Bail if gzio->tl/td is NULL,
Daniel Kiper <=
- [SECURITY PATCH 078/117] fs/jfs: Catch infinite recursion, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 073/117] fs/hfsplus: Don't use uninitialized data on corrupt filesystems, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 083/117] io/gzio: Add init_dynamic_block() clean up if unpacking codes fails, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 079/117] fs/nilfs2: Reject too-large keys, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 077/117] fs/jfs: Limit the extents that getblk() can consider, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 084/117] io/gzio: Catch missing values in huft_build() and bail, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 086/117] disk/lvm: Don't go beyond the end of the data we read from disk, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 087/117] disk/lvm: Don't blast past the end of the circular metadata buffer, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 089/117] disk/lvm: Do not crash if an expected string is not found, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 085/117] io/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build() fails, Daniel Kiper, 2021/03/02