video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du()

The key line is: du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos]; jpeg_zigzag_order is grub_uint8_t[64]. I don't understand JPEG decoders quite well enough to explain what's going on here. However, I observe sometimes pos=64, which leads to an OOB read of the jpeg_zigzag_order global then an OOB write to du. That leads to various unpleasant memory corruption conditions. Catch where pos >= ARRAY_SIZE(jpeg_zigzag_order) and bail. Signed-off-by: Daniel Axtens <dja@axtens.net> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2025-07-24 20:48:14 +00:00 · 2021-01-15 13:29:53 +11:00 · 2021-01-15 13:29:53 +11:00 · 34b85a6e07
commit 34b85a6e07
parent 693989598f
1 changed files with 8 additions and 0 deletions
--- a/grub-core/video/readers/jpeg.c
+++ b/grub-core/video/readers/jpeg.c
@ -526,6 +526,14 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
      val = grub_jpeg_get_number (data, num & 0xF);
      num >>= 4;
      pos += num;
+
+      if (pos >= ARRAY_SIZE (jpeg_zigzag_order))
+	{
+	  grub_error (GRUB_ERR_BAD_FILE_TYPE,
+		      "jpeg: invalid position in zigzag order!?");
+	  return;
+	}
+
      du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];
      pos++;
    }