diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch | 117 |
1 files changed, 117 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch b/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch new file mode 100644 index 0000000000..d4ba3cafc5 --- /dev/null +++ b/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch | |||
@@ -0,0 +1,117 @@ | |||
1 | From 1f511ae054fe42dce7aedfbfe0f234fa1e0a7a3e Mon Sep 17 00:00:00 2001 | ||
2 | From: Zhang Boyang <zhangboyang.id@gmail.com> | ||
3 | Date: Fri, 5 Aug 2022 00:51:20 +0800 | ||
4 | Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal() | ||
5 | |||
6 | The length of memory allocation and file read may overflow. This patch | ||
7 | fixes the problem by using safemath macros. | ||
8 | |||
9 | There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe | ||
10 | if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz(). | ||
11 | It is safe replacement for such code. It has safemath-like prototype. | ||
12 | |||
13 | This patch also introduces grub_cast(value, pointer), it casts value to | ||
14 | typeof(*pointer) then store the value to *pointer. It returns true when | ||
15 | overflow occurs or false if there is no overflow. The semantics of arguments | ||
16 | and return value are designed to be consistent with other safemath macros. | ||
17 | |||
18 | Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> | ||
19 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
20 | |||
21 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c76ec09ae08155df27cd237eaea150b4f02f532] | ||
22 | |||
23 | Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> | ||
24 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
25 | --- | ||
26 | grub-core/font/font.c | 17 +++++++++++++---- | ||
27 | include/grub/bitmap.h | 18 ++++++++++++++++++ | ||
28 | include/grub/safemath.h | 2 ++ | ||
29 | 3 files changed, 33 insertions(+), 4 deletions(-) | ||
30 | |||
31 | diff --git a/grub-core/font/font.c b/grub-core/font/font.c | ||
32 | index 5edb477..df17dba 100644 | ||
33 | --- a/grub-core/font/font.c | ||
34 | +++ b/grub-core/font/font.c | ||
35 | @@ -733,7 +733,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code) | ||
36 | grub_int16_t xoff; | ||
37 | grub_int16_t yoff; | ||
38 | grub_int16_t dwidth; | ||
39 | - int len; | ||
40 | + grub_ssize_t len; | ||
41 | + grub_size_t sz; | ||
42 | |||
43 | if (index_entry->glyph) | ||
44 | /* Return cached glyph. */ | ||
45 | @@ -760,9 +761,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code) | ||
46 | return 0; | ||
47 | } | ||
48 | |||
49 | - len = (width * height + 7) / 8; | ||
50 | - glyph = grub_malloc (sizeof (struct grub_font_glyph) + len); | ||
51 | - if (!glyph) | ||
52 | + /* Calculate real struct size of current glyph. */ | ||
53 | + if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) || | ||
54 | + grub_add (sizeof (struct grub_font_glyph), len, &sz)) | ||
55 | + { | ||
56 | + remove_font (font); | ||
57 | + return 0; | ||
58 | + } | ||
59 | + | ||
60 | + /* Allocate and initialize the glyph struct. */ | ||
61 | + glyph = grub_malloc (sz); | ||
62 | + if (glyph == NULL) | ||
63 | { | ||
64 | remove_font (font); | ||
65 | return 0; | ||
66 | diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h | ||
67 | index 5728f8c..0d9603f 100644 | ||
68 | --- a/include/grub/bitmap.h | ||
69 | +++ b/include/grub/bitmap.h | ||
70 | @@ -23,6 +23,7 @@ | ||
71 | #include <grub/symbol.h> | ||
72 | #include <grub/types.h> | ||
73 | #include <grub/video.h> | ||
74 | +#include <grub/safemath.h> | ||
75 | |||
76 | struct grub_video_bitmap | ||
77 | { | ||
78 | @@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap) | ||
79 | return bitmap->mode_info.height; | ||
80 | } | ||
81 | |||
82 | +/* | ||
83 | + * Calculate and store the size of data buffer of 1bit bitmap in result. | ||
84 | + * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs. | ||
85 | + * Return true when overflow occurs or false if there is no overflow. | ||
86 | + * This function is intentionally implemented as a macro instead of | ||
87 | + * an inline function. Although a bit awkward, it preserves data types for | ||
88 | + * safemath macros and reduces macro side effects as much as possible. | ||
89 | + * | ||
90 | + * XXX: Will report false overflow if width * height > UINT64_MAX. | ||
91 | + */ | ||
92 | +#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \ | ||
93 | +({ \ | ||
94 | + grub_uint64_t _bitmap_pixels; \ | ||
95 | + grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \ | ||
96 | + grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \ | ||
97 | +}) | ||
98 | + | ||
99 | void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap, | ||
100 | struct grub_video_mode_info *mode_info); | ||
101 | |||
102 | diff --git a/include/grub/safemath.h b/include/grub/safemath.h | ||
103 | index c17b89b..bb0f826 100644 | ||
104 | --- a/include/grub/safemath.h | ||
105 | +++ b/include/grub/safemath.h | ||
106 | @@ -30,6 +30,8 @@ | ||
107 | #define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res) | ||
108 | #define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res) | ||
109 | |||
110 | +#define grub_cast(a, res) grub_add ((a), 0, (res)) | ||
111 | + | ||
112 | #else | ||
113 | #error gcc 5.1 or newer or clang 3.8 or newer is required | ||
114 | #endif | ||
115 | -- | ||
116 | 2.25.1 | ||
117 | |||