proxmox-mirrors/grub2
1
0
Fork 0
mirror of https://git.proxmox.com/git/grub2 synced 2025-10-04 22:00:34 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

video/readers/png: Avoid heap OOB R/W inserting huff table items

Browse Source 
In fuzzing we observed crashes where a code would attempt to be inserted
into a huffman table before the start, leading to a set of heap OOB reads
and writes as table entries with negative indices were shifted around and
the new code written in.

Catch the case where we would underflow the array and bail.

Fixes: CVE-2021-3696

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
Daniel Axtens 2021-07-06 23:25:07 +10:00 committed by Julian Andres Klode
parent 558c69b5d3
commit 21e3b255f9
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
grub-core/video/readers/png.c
View File

@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len)
for (i = len; i < ht->max_length; i++) for (i = len; i < ht->max_length; i++)
n += ht->maxval[i]; n += ht->maxval[i];
if (n > ht->num_values)
{
grub_error (GRUB_ERR_BAD_FILE_TYPE,
"png: out of range inserting huffman table item");
return;
}
for (i = 0; i < n; i++) for (i = 0; i < n; i++)
ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1]; ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];