video/readers/jpeg: Fix possible invalid loop boundary condition

The value of next_marker is adjusted based on the word sized value read from data->file. The updated next_marker value should reference a location in the file just beyond the huffman table, and as such should not have a value larger than the size of the file. Fixes: CID 73657 Signed-off-by: Darren Kenny <darren.kenny@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
author: Darren Kenny <darren.kenny@oracle.com> 2022-04-05 18:25:52 +0000
committer: Daniel Kiper <daniel.kiper@oracle.com> 2022-04-20 18:29:00 +0200
commit: c244e331b9f56f10a67b8b027d6ccab1d45dcadb (patch)
tree: b6d2e6097d39ec8f1d7c2b529fa817faf4b210ec
parent: 3ce13d974b887338ae972c79b41ff6fc0eee6388 (diff)
download: grub-c244e331b9f56f10a67b8b027d6ccab1d45dcadb.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
index e31602f76..c47ffd651 100644
--- a/grub-core/video/readers/jpeg.c
+++ b/grub-core/video/readers/jpeg.c
@@ -199,6 +199,12 @@ grub_jpeg_decode_huff_table (struct grub_jpeg_data *data)
   next_marker = data->file->offset;
   next_marker += grub_jpeg_get_word (data);
 
+  if (next_marker > data->file->size)
+    {
+      return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+			 "jpeg: invalid huffman table");
+    }
+
   while (data->file->offset + sizeof (count) + 1 <= next_marker)
     {
       id = grub_jpeg_get_byte (data);
author	Darren Kenny <darren.kenny@oracle.com>	2022-04-05 18:25:52 +0000
committer	Daniel Kiper <daniel.kiper@oracle.com>	2022-04-20 18:29:00 +0200
commit	c244e331b9f56f10a67b8b027d6ccab1d45dcadb (patch)
tree	b6d2e6097d39ec8f1d7c2b529fa817faf4b210ec
parent	3ce13d974b887338ae972c79b41ff6fc0eee6388 (diff)
download	grub-c244e331b9f56f10a67b8b027d6ccab1d45dcadb.tar.gz