video/readers/png: Avoid heap OOB R/W inserting huff table items

In fuzzing we observed crashes where a code would attempt to be inserted into a huffman table before the start, leading to a set of heap OOB reads and writes as table entries with negative indices were shifted around and the new code written in. Catch the case where we would underflow the array and bail. Fixes: CVE-2021-3696 Signed-off-by: Daniel Axtens <dja@axtens.net> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
author: Daniel Axtens <dja@axtens.net> 2021-07-06 23:25:07 +1000
committer: Daniel Kiper <daniel.kiper@oracle.com> 2022-06-07 16:39:32 +0200
commit: 210245129c932dc9e1c2748d9d35524fb95b5042 (patch)
tree: 8d8df1b152121ad6ea5d64678cad345c8558b22b
parent: e623866d9286410156e8b9d2c82d6253a1b22d08 (diff)
download: grub-210245129c932dc9e1c2748d9d35524fb95b5042.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
index a3161e25b..d7ed5aa6c 100644
--- a/grub-core/video/readers/png.c
+++ b/grub-core/video/readers/png.c
@@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len)
   for (i = len; i < ht->max_length; i++)
     n += ht->maxval[i];
 
+  if (n > ht->num_values)
+    {
+      grub_error (GRUB_ERR_BAD_FILE_TYPE,
+		  "png: out of range inserting huffman table item");
+      return;
+    }
+
   for (i = 0; i < n; i++)
     ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];
author	Daniel Axtens <dja@axtens.net>	2021-07-06 23:25:07 +1000
committer	Daniel Kiper <daniel.kiper@oracle.com>	2022-06-07 16:39:32 +0200
commit	210245129c932dc9e1c2748d9d35524fb95b5042 (patch)
tree	8d8df1b152121ad6ea5d64678cad345c8558b22b
parent	e623866d9286410156e8b9d2c82d6253a1b22d08 (diff)
download	grub-210245129c932dc9e1c2748d9d35524fb95b5042.tar.gz