diff options
author | Daniel Axtens <dja@axtens.net> | 2021-07-06 23:25:07 +1000 |
---|---|---|
committer | Daniel Kiper <daniel.kiper@oracle.com> | 2022-06-07 16:39:32 +0200 |
commit | 210245129c932dc9e1c2748d9d35524fb95b5042 (patch) | |
tree | 8d8df1b152121ad6ea5d64678cad345c8558b22b | |
parent | e623866d9286410156e8b9d2c82d6253a1b22d08 (diff) | |
download | grub-210245129c932dc9e1c2748d9d35524fb95b5042.tar.gz |
video/readers/png: Avoid heap OOB R/W inserting huff table items
In fuzzing we observed crashes where a code would attempt to be inserted
into a huffman table before the start, leading to a set of heap OOB reads
and writes as table entries with negative indices were shifted around and
the new code written in.
Catch the case where we would underflow the array and bail.
Fixes: CVE-2021-3696
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-rw-r--r-- | grub-core/video/readers/png.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c index a3161e25b..d7ed5aa6c 100644 --- a/grub-core/video/readers/png.c +++ b/grub-core/video/readers/png.c @@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len) for (i = len; i < ht->max_length; i++) n += ht->maxval[i]; + if (n > ht->num_values) + { + grub_error (GRUB_ERR_BAD_FILE_TYPE, + "png: out of range inserting huffman table item"); + return; + } + for (i = 0; i < n; i++) ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1]; |