登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
8 Star 0 Fork 48

src-anolis-os/grub2

代码 Issues 3 Pull Requests 4 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
0522-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch 2.11 KB
一键复制 编辑 原始数据 按行查看 历史
小龙 提交于 2023-01-10 16:28 . update to grub2-2.02-142.el8_7.1
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001

From: Daniel Axtens <dja@axtens.net>

Date: Wed, 7 Jul 2021 15:38:19 +1000

Subject: [PATCH] video/readers/jpeg: Block int underflow -> wild pointer write



Certain 1 px wide images caused a wild pointer write in

grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(),

we have the following loop:



for (; data->r1 < nr1 && (!data->dri || rst);

     data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)



We did not check if vb * width >= hb * nc1.



On a 64-bit platform, if that turns out to be negative, it will underflow,

be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so

we see data->bitmap_ptr jump, e.g.:



0x6180_0000_0480 to

0x6181_0000_0498

     ^

     ~--- carry has occurred and this pointer is now far away from

          any object.



On a 32-bit platform, it will decrement the pointer, creating a pointer

that won't crash but will overwrite random data.



Catch the underflow and error out.



Fixes: CVE-2021-3697



Signed-off-by: Daniel Axtens <dja@axtens.net>

Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

(cherry picked from commit 41aeb2004db9924fecd9f2dd64bc2a5a5594a4b5)

(cherry picked from commit 5f9582490792108306d047379fed2371bee286f8)

(cherry picked from commit 7e4bf25d9bb5219fbf11c523296dc3bd78b80698)

---

 grub-core/video/readers/jpeg.c | 4 ++++

 1 file changed, 4 insertions(+)



diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c

index 1df1171d78..2da04094b3 100644

--- a/grub-core/video/readers/jpeg.c

+++ b/grub-core/video/readers/jpeg.c

@@ -705,6 +705,10 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)

     return grub_error (GRUB_ERR_BAD_FILE_TYPE,

 		       "jpeg: attempted to decode data before start of stream");

 

+  if (vb * data->image_width <= hb * nc1)

+    return grub_error (GRUB_ERR_BAD_FILE_TYPE,

+		       "jpeg: cannot decode image with these dimensions");

+

   for (; data->r1 < nr1 && (!data->dri || rst);

        data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)

     for (c1 = 0;  c1 < nc1 && (!data->dri || rst);
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/src-anolis-os/grub2.git
git@gitee.com:src-anolis-os/grub2.git
src-anolis-os
grub2
grub2
a8
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部
23e8dbc6 1850385 7e0993f3 1850385