diff options
author | Daniel Axtens <dja@axtens.net> | 2021-07-06 19:19:11 +1000 |
---|---|---|
committer | Daniel Kiper <daniel.kiper@oracle.com> | 2022-06-07 16:39:32 +0200 |
commit | 690bee69fae6b4bd911293d6b7e56774e29fdf64 (patch) | |
tree | 53e4ea7ebddad5b840a725471e5a016d4ac05cac | |
parent | 210245129c932dc9e1c2748d9d35524fb95b5042 (diff) | |
download | grub-690bee69fae6b4bd911293d6b7e56774e29fdf64.tar.gz |
video/readers/png: Sanity check some huffman codes
ASAN picked up two OOB global reads: we weren't checking if some code
values fit within the cplens or cpdext arrays. Check and throw an error
if not.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-rw-r--r-- | grub-core/video/readers/png.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c index d7ed5aa6c..7f2ba7849 100644 --- a/grub-core/video/readers/png.c +++ b/grub-core/video/readers/png.c @@ -753,6 +753,9 @@ grub_png_read_dynamic_block (struct grub_png_data *data) int len, dist, pos; n -= 257; + if (((unsigned int) n) >= ARRAY_SIZE (cplens)) + return grub_error (GRUB_ERR_BAD_FILE_TYPE, + "png: invalid huff code"); len = cplens[n]; if (cplext[n]) len += grub_png_get_bits (data, cplext[n]); @@ -760,6 +763,9 @@ grub_png_read_dynamic_block (struct grub_png_data *data) return grub_errno; n = grub_png_get_huff_code (data, &data->dist_table); + if (((unsigned int) n) >= ARRAY_SIZE (cpdist)) + return grub_error (GRUB_ERR_BAD_FILE_TYPE, + "png: invalid huff code"); dist = cpdist[n]; if (cpdext[n]) dist += grub_png_get_bits (data, cpdext[n]); |