diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2022-3775.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2022-3775.patch | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-3775.patch b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch new file mode 100644 index 0000000000..e2e3f35584 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch | |||
@@ -0,0 +1,97 @@ | |||
1 | From fdbe7209152ad6f09a1166f64f162017f2145ba3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Zhang Boyang <zhangboyang.id@gmail.com> | ||
3 | Date: Mon, 24 Oct 2022 08:05:35 +0800 | ||
4 | Subject: [PATCH] font: Fix an integer underflow in blit_comb() | ||
5 | |||
6 | The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may | ||
7 | evaluate to a very big invalid value even if both ctx.bounds.height and | ||
8 | combining_glyphs[i]->height are small integers. For example, if | ||
9 | ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this | ||
10 | expression evaluates to 2147483647 (expected -1). This is because | ||
11 | coordinates are allowed to be negative but ctx.bounds.height is an | ||
12 | unsigned int. So, the subtraction operates on unsigned ints and | ||
13 | underflows to a very big value. The division makes things even worse. | ||
14 | The quotient is still an invalid value even if converted back to int. | ||
15 | |||
16 | This patch fixes the problem by casting ctx.bounds.height to int. As | ||
17 | a result the subtraction will operate on int and grub_uint16_t which | ||
18 | will be promoted to an int. So, the underflow will no longer happen. Other | ||
19 | uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int, | ||
20 | to ensure coordinates are always calculated on signed integers. | ||
21 | |||
22 | Fixes: CVE-2022-3775 | ||
23 | |||
24 | Reported-by: Daniel Axtens <dja@axtens.net> | ||
25 | Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> | ||
26 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
27 | |||
28 | Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> | ||
29 | |||
30 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=992c06191babc1e109caf40d6a07ec6fdef427af] | ||
31 | CVE: CVE-2022-3775 | ||
32 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
33 | --- | ||
34 | grub-core/font/font.c | 16 ++++++++-------- | ||
35 | 1 file changed, 8 insertions(+), 8 deletions(-) | ||
36 | |||
37 | diff --git a/grub-core/font/font.c b/grub-core/font/font.c | ||
38 | index f110db9..3b76b22 100644 | ||
39 | --- a/grub-core/font/font.c | ||
40 | +++ b/grub-core/font/font.c | ||
41 | @@ -1200,12 +1200,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, | ||
42 | ctx.bounds.height = main_glyph->height; | ||
43 | |||
44 | above_rightx = main_glyph->offset_x + main_glyph->width; | ||
45 | - above_righty = ctx.bounds.y + ctx.bounds.height; | ||
46 | + above_righty = ctx.bounds.y + (int) ctx.bounds.height; | ||
47 | |||
48 | above_leftx = main_glyph->offset_x; | ||
49 | - above_lefty = ctx.bounds.y + ctx.bounds.height; | ||
50 | + above_lefty = ctx.bounds.y + (int) ctx.bounds.height; | ||
51 | |||
52 | - below_rightx = ctx.bounds.x + ctx.bounds.width; | ||
53 | + below_rightx = ctx.bounds.x + (int) ctx.bounds.width; | ||
54 | below_righty = ctx.bounds.y; | ||
55 | |||
56 | comb = grub_unicode_get_comb (glyph_id); | ||
57 | @@ -1218,7 +1218,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, | ||
58 | |||
59 | if (!combining_glyphs[i]) | ||
60 | continue; | ||
61 | - targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x; | ||
62 | + targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x; | ||
63 | /* CGJ is to avoid diacritics reordering. */ | ||
64 | if (comb[i].code | ||
65 | == GRUB_UNICODE_COMBINING_GRAPHEME_JOINER) | ||
66 | @@ -1228,8 +1228,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, | ||
67 | case GRUB_UNICODE_COMB_OVERLAY: | ||
68 | do_blit (combining_glyphs[i], | ||
69 | targetx, | ||
70 | - (ctx.bounds.height - combining_glyphs[i]->height) / 2 | ||
71 | - - (ctx.bounds.height + ctx.bounds.y), &ctx); | ||
72 | + ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2 | ||
73 | + - ((int) ctx.bounds.height + ctx.bounds.y), &ctx); | ||
74 | if (min_devwidth < combining_glyphs[i]->width) | ||
75 | min_devwidth = combining_glyphs[i]->width; | ||
76 | break; | ||
77 | @@ -1302,7 +1302,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, | ||
78 | /* Fallthrough. */ | ||
79 | case GRUB_UNICODE_STACK_ATTACHED_ABOVE: | ||
80 | do_blit (combining_glyphs[i], targetx, | ||
81 | - -(ctx.bounds.height + ctx.bounds.y + space | ||
82 | + -((int) ctx.bounds.height + ctx.bounds.y + space | ||
83 | + combining_glyphs[i]->height), &ctx); | ||
84 | if (min_devwidth < combining_glyphs[i]->width) | ||
85 | min_devwidth = combining_glyphs[i]->width; | ||
86 | @@ -1310,7 +1310,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, | ||
87 | |||
88 | case GRUB_UNICODE_COMB_HEBREW_DAGESH: | ||
89 | do_blit (combining_glyphs[i], targetx, | ||
90 | - -(ctx.bounds.height / 2 + ctx.bounds.y | ||
91 | + -((int) ctx.bounds.height / 2 + ctx.bounds.y | ||
92 | + combining_glyphs[i]->height / 2), &ctx); | ||
93 | if (min_devwidth < combining_glyphs[i]->width) | ||
94 | min_devwidth = combining_glyphs[i]->width; | ||
95 | -- | ||
96 | 2.25.1 | ||
97 | |||