diff options
author | Darren Kenny <darren.kenny@oracle.com> | 2022-04-05 18:25:52 +0000 |
---|---|---|
committer | Daniel Kiper <daniel.kiper@oracle.com> | 2022-04-20 18:29:00 +0200 |
commit | c244e331b9f56f10a67b8b027d6ccab1d45dcadb (patch) | |
tree | b6d2e6097d39ec8f1d7c2b529fa817faf4b210ec | |
parent | 3ce13d974b887338ae972c79b41ff6fc0eee6388 (diff) | |
download | grub-c244e331b9f56f10a67b8b027d6ccab1d45dcadb.tar.gz |
video/readers/jpeg: Fix possible invalid loop boundary condition
The value of next_marker is adjusted based on the word sized value
read from data->file.
The updated next_marker value should reference a location in the file
just beyond the huffman table, and as such should not have a value
larger than the size of the file.
Fixes: CID 73657
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-rw-r--r-- | grub-core/video/readers/jpeg.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c index e31602f76..c47ffd651 100644 --- a/grub-core/video/readers/jpeg.c +++ b/grub-core/video/readers/jpeg.c @@ -199,6 +199,12 @@ grub_jpeg_decode_huff_table (struct grub_jpeg_data *data) next_marker = data->file->offset; next_marker += grub_jpeg_get_word (data); + if (next_marker > data->file->size) + { + return grub_error (GRUB_ERR_BAD_FILE_TYPE, + "jpeg: invalid huffman table"); + } + while (data->file->offset + sizeof (count) + 1 <= next_marker) { id = grub_jpeg_get_byte (data); |