mirror of
https://git.proxmox.com/git/grub2
synced 2025-07-23 18:55:17 +00:00
video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du()
The key line is: du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos]; jpeg_zigzag_order is grub_uint8_t[64]. I don't understand JPEG decoders quite well enough to explain what's going on here. However, I observe sometimes pos=64, which leads to an OOB read of the jpeg_zigzag_order global then an OOB write to du. That leads to various unpleasant memory corruption conditions. Catch where pos >= ARRAY_SIZE(jpeg_zigzag_order) and bail. Signed-off-by: Daniel Axtens <dja@axtens.net> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
parent
693989598f
commit
34b85a6e07
@ -526,6 +526,14 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
|
||||
val = grub_jpeg_get_number (data, num & 0xF);
|
||||
num >>= 4;
|
||||
pos += num;
|
||||
|
||||
if (pos >= ARRAY_SIZE (jpeg_zigzag_order))
|
||||
{
|
||||
grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
||||
"jpeg: invalid position in zigzag order!?");
|
||||
return;
|
||||
}
|
||||
|
||||
du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];
|
||||
pos++;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user