[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 09/30] video/readers/png: Avoid heap OOB R/W inserting h
From: |
Daniel Kiper |
Subject: |
[SECURITY PATCH 09/30] video/readers/png: Avoid heap OOB R/W inserting huff table items |
Date: |
Tue, 7 Jun 2022 19:01:18 +0200 |
From: Daniel Axtens <dja@axtens.net>
In fuzzing we observed crashes where a code would attempt to be inserted
into a huffman table before the start, leading to a set of heap OOB reads
and writes as table entries with negative indices were shifted around and
the new code written in.
Catch the case where we would underflow the array and bail.
Fixes: CVE-2021-3696
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/video/readers/png.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
index a3161e25b..d7ed5aa6c 100644
--- a/grub-core/video/readers/png.c
+++ b/grub-core/video/readers/png.c
@@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int
code, int len)
for (i = len; i < ht->max_length; i++)
n += ht->maxval[i];
+ if (n > ht->num_values)
+ {
+ grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ "png: out of range inserting huffman table item");
+ return;
+ }
+
for (i = 0; i < n; i++)
ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];
--
2.11.0
- [SECURITY PATCH 01/30] loader/efi/chainloader: Simplify the loader state, (continued)
- [SECURITY PATCH 01/30] loader/efi/chainloader: Simplify the loader state, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 04/30] kern/efi/sb: Reject non-kernel files in the shim_lock verifier, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 13/30] video/readers/jpeg: Refuse to handle multiple start of streams, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 11/30] video/readers/jpeg: Abort sooner if a read operation fails, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 16/30] net/ip: Do IP fragment maths safely, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 05/30] kern/file: Do not leak device_name on error in grub_file_open(), Daniel Kiper, 2022/06/07
- [SECURITY PATCH 26/30] fs/f2fs: Do not read past the end of nat bitmap, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 12/30] video/readers/jpeg: Do not reallocate a given huff table, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 03/30] loader/efi/chainloader: Use grub_loader_set_ex(), Daniel Kiper, 2022/06/07
- [SECURITY PATCH 10/30] video/readers/png: Sanity check some huffman codes, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 09/30] video/readers/png: Avoid heap OOB R/W inserting huff table items,
Daniel Kiper <=
- [SECURITY PATCH 07/30] video/readers/png: Refuse to handle multiple image headers, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 15/30] normal/charset: Fix array out-of-bounds formatting unicode for display, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 19/30] net/dns: Don't read past the end of the string we're checking against, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 25/30] fs/f2fs: Do not read past the end of nat journal entries, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 30/30] fs/btrfs: Fix more fuzz issues related to chunks, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 20/30] net/tftp: Prevent a UAF and double-free from a failed seek, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 18/30] net/dns: Fix double-free addresses on corrupt DNS response, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 17/30] net/netbuff: Block overly large netbuff allocs, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 24/30] net/http: Error out on headers with LF without CR, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 08/30] video/readers/png: Drop greyscale support to fix heap out-of-bounds write, Daniel Kiper, 2022/06/07