1 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3696-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch b/meta/recipes-bsp/grub/files/CVE-2021-3696-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch
new file mode 100644
index 0000000000..f06514e665
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3696-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch
@@ -0,0 +1,50 @@
+From 210245129c932dc9e1c2748d9d35524fb95b5042 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 6 Jul 2021 23:25:07 +1000
+Subject: [PATCH] video/readers/png: Avoid heap OOB R/W inserting huff table
+ items
+In fuzzing we observed crashes where a code would attempt to be inserted
+into a huffman table before the start, leading to a set of heap OOB reads
+and writes as table entries with negative indices were shifted around and
+the new code written in.
+Catch the case where we would underflow the array and bail.
+Fixes: CVE-2021-3696
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport
+CVE: CVE-2021-3696
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=210245129c932dc9e1c2748d9d35524fb95b5042
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/video/readers/png.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index a3161e25b..d7ed5aa6c 100644
+--- a/grub-core/video/readers/png.c
+++ b/grub-core/video/readers/png.c
+@@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len)
+   for (i = len; i < ht->max_length; i++)
+     n += ht->maxval[i];
+ 
+  if (n > ht->num_values)
+    {
+      grub_error (GRUB_ERR_BAD_FILE_TYPE,
+                 "png: out of range inserting huffman table item");
+      return;
+    }
+
+   for (i = 0; i < n; i++)
+     ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];
+ 
+-- 
+2.34.1

diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3696-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch b/meta/recipes-bsp/grub/files/CVE-2021-3696-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch new file mode 100644 index 0000000000..f06514e665 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3696-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch
@@ -0,0 +1,50 @@
	1	From 210245129c932dc9e1c2748d9d35524fb95b5042 Mon Sep 17 00:00:00 2001
	2	From: Daniel Axtens <dja@axtens.net>
	3	Date: Tue, 6 Jul 2021 23:25:07 +1000
	4	Subject: [PATCH] video/readers/png: Avoid heap OOB R/W inserting huff table
	5	items
	6
	7	In fuzzing we observed crashes where a code would attempt to be inserted
	8	into a huffman table before the start, leading to a set of heap OOB reads
	9	and writes as table entries with negative indices were shifted around and
	10	the new code written in.
	11
	12	Catch the case where we would underflow the array and bail.
	13
	14	Fixes: CVE-2021-3696
	15
	16	Signed-off-by: Daniel Axtens <dja@axtens.net>
	17	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	18
	19	Upstream-Status: Backport
	20	CVE: CVE-2021-3696
	21
	22	Reference to upstream patch:
	23	https://git.savannah.gnu.org/cgit/grub.git/commit/?id=210245129c932dc9e1c2748d9d35524fb95b5042
	24
	25	Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
	26	---
	27	grub-core/video/readers/png.c \| 7 +++++++
	28	1 file changed, 7 insertions(+)
	29
	30	diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
	31	index a3161e25b..d7ed5aa6c 100644
	32	--- a/grub-core/video/readers/png.c
	33	+++ b/grub-core/video/readers/png.c
	34	@@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len)
	35	for (i = len; i < ht->max_length; i++)
	36	n += ht->maxval[i];
	37
	38	+ if (n > ht->num_values)
	39	+ {
	40	+ grub_error (GRUB_ERR_BAD_FILE_TYPE,
	41	+ "png: out of range inserting huffman table item");
	42	+ return;
	43	+ }
	44	+
	45	for (i = 0; i < n; i++)
	46	ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];
	47
	48	--
	49	2.34.1
	50