diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2021-3696.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2021-3696.patch | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3696.patch b/meta/recipes-bsp/grub/files/CVE-2021-3696.patch new file mode 100644 index 0000000000..ef6da945c4 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3696.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From b18ce59d6496a9313d75f9497a0efac61dcf4191 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Wed, 20 Jul 2022 10:05:42 +0530 | ||
4 | Subject: [PATCH] CVE-2021-3696 | ||
5 | |||
6 | Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=210245129c932dc9e1c2748d9d35524fb95b5042] | ||
7 | CVE: CVE-2021-3696 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | video/readers/png: Avoid heap OOB R/W inserting huff table items | ||
11 | |||
12 | In fuzzing we observed crashes where a code would attempt to be inserted | ||
13 | into a huffman table before the start, leading to a set of heap OOB reads | ||
14 | and writes as table entries with negative indices were shifted around and | ||
15 | the new code written in. | ||
16 | |||
17 | Catch the case where we would underflow the array and bail. | ||
18 | |||
19 | Fixes: CVE-2021-3696 | ||
20 | Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
21 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
22 | --- | ||
23 | grub-core/video/readers/png.c | 7 +++++++ | ||
24 | 1 file changed, 7 insertions(+) | ||
25 | |||
26 | diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c | ||
27 | index 36b3f10..3c05951 100644 | ||
28 | --- a/grub-core/video/readers/png.c | ||
29 | +++ b/grub-core/video/readers/png.c | ||
30 | @@ -416,6 +416,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len) | ||
31 | for (i = len; i < ht->max_length; i++) | ||
32 | n += ht->maxval[i]; | ||
33 | |||
34 | + if (n > ht->num_values) | ||
35 | + { | ||
36 | + grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
37 | + "png: out of range inserting huffman table item"); | ||
38 | + return; | ||
39 | + } | ||
40 | + | ||
41 | for (i = 0; i < n; i++) | ||
42 | ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1]; | ||
43 | |||
44 | -- | ||
45 | 2.25.1 | ||
46 | |||