diff options
author | Marta Rybczynska <rybczynska@gmail.com> | 2022-02-18 11:05:43 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-03-02 00:21:37 +0000 |
commit | 4463703292afe44f2661305abc166272783aae8f (patch) | |
tree | 28291c487e04c1e31262019423e8c96f82d3467f /meta/recipes-bsp | |
parent | eca24c02eac4dcfcbe71be367a9950cffe4bca27 (diff) | |
download | poky-4463703292afe44f2661305abc166272783aae8f.tar.gz |
grub: test for malformed jpeg files
This patch adds a fix for handling malformed JPEG files in grub's
video/readers/jpeg. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html
(From OE-Core rev: d8cdb3a17f6e874d232979307a3f25511172d086)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-bsp')
-rw-r--r-- | meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch | 38 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/grub2.inc | 1 |
2 files changed, 39 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch b/meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch new file mode 100644 index 0000000000..3fca2aecb5 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From 88361a7fd4e481a76e1159a63c9014fa997ef29c Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Kenny <darren.kenny@oracle.com> | ||
3 | Date: Fri, 4 Dec 2020 15:39:00 +0000 | ||
4 | Subject: [PATCH] video/readers/jpeg: Test for an invalid next marker reference | ||
5 | from a jpeg file | ||
6 | |||
7 | While it may never happen, and potentially could be caught at the end of | ||
8 | the function, it is worth checking up front for a bad reference to the | ||
9 | next marker just in case of a maliciously crafted file being provided. | ||
10 | |||
11 | Fixes: CID 73694 | ||
12 | |||
13 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
14 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
15 | |||
16 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5f5eb7ca8e971227e95745abe541df3e1509360e] | ||
17 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
18 | --- | ||
19 | grub-core/video/readers/jpeg.c | 6 ++++++ | ||
20 | 1 file changed, 6 insertions(+) | ||
21 | |||
22 | diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c | ||
23 | index 31359a4..0b6ce3c 100644 | ||
24 | --- a/grub-core/video/readers/jpeg.c | ||
25 | +++ b/grub-core/video/readers/jpeg.c | ||
26 | @@ -253,6 +253,12 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data) | ||
27 | next_marker = data->file->offset; | ||
28 | next_marker += grub_jpeg_get_word (data); | ||
29 | |||
30 | + if (next_marker > data->file->size) | ||
31 | + { | ||
32 | + /* Should never be set beyond the size of the file. */ | ||
33 | + return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid next reference"); | ||
34 | + } | ||
35 | + | ||
36 | while (data->file->offset + sizeof (data->quan_table[id]) + 1 | ||
37 | <= next_marker) | ||
38 | { | ||
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 04c9b4c092..75782b7eb2 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc | |||
@@ -81,6 +81,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ | |||
81 | file://0032-video-fb-fbfill-Fix-potential-integer-overflow.patch \ | 81 | file://0032-video-fb-fbfill-Fix-potential-integer-overflow.patch \ |
82 | file://0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch \ | 82 | file://0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch \ |
83 | file://0034-video-fb-video_fb-Fix-possible-integer-overflow.patch \ | 83 | file://0034-video-fb-video_fb-Fix-possible-integer-overflow.patch \ |
84 | file://0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch \ | ||
84 | " | 85 | " |
85 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" | 86 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" |
86 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" | 87 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" |