The out->ncomb is a bit-field of 8 bits. So, the max possible value is 255.
However, code in grub_unicode_aglomerate_comb() doesn't check for an
overflow when incrementing out->ncomb. If out->ncomb is already 255,
after incrementing it will get 0 instead of 256, and cause illegal
memory access in subsequent processing.
This patch introduces GRUB_UNICODE_NCOMB_MAX to represent the max
acceptable value of ncomb. The code now checks for this limit and
ignores additional combining characters when limit is reached.
Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This modifies most of the places we do some form of:
X = malloc(Y * Z);
to use calloc(Y, Z) instead.
Among other issues, this fixes:
- allocation of integer overflow in grub_png_decode_image_header()
reported by Chris Coulson,
- allocation of integer overflow in luks_recover_key()
reported by Chris Coulson,
- allocation of integer overflow in grub_lvm_detect()
reported by Chris Coulson.
Fixes: CVE-2020-14308
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Patch-Name: safe-alloc-3.patch
* include/grub/unicode.h (GRUB_UNICODE_DOTLESS_LOWERCASE_I): New enum
value.
(GRUB_UNICODE_DOTLESS_LOWERCASE_J): Likewise.
* grub-core/font/font.c (grub_font_construct_dry_run): Replace i and j
with dotless variants when any combining above is present.
* grub-core/normal/charset.c (grub_unicode_aglomerate_comb): Don't
agglomerate control characters with combining marks.
(bidi_line_wrap): Allow break on tab.
(grub_unicode_get_comb_start): New function.
* grub-core/normal/menu_entry.c: Restructure to handle wide characters
and tab correctly.
* grub-core/normal/menu_text.c (print_entry): Replace \n, \r, \b and \e
with a space.
* grub-core/normal/term.c (print_ucs4_terminal): New argument
fixed_tab_size. All users updated.
* include/grub/term.h (GRUB_TERM_TAB_WIDTH): New const.
(grub_term_getcharwidth): Handle \t.
* include/grub/unicode.h (grub_unicode_glyph_dup): Fix allocation
and copy.
