proxmox-mirrors/grub2
1
0
Fork 0
mirror of https://git.proxmox.com/git/grub2 synced 2025-07-24 19:01:43 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
34b85a6e07
grub2/grub-core/video
History
Daniel Axtens 34b85a6e07 video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du() 
The key line is:

  du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];

jpeg_zigzag_order is grub_uint8_t[64].

I don't understand JPEG decoders quite well enough to explain what's
going on here. However, I observe sometimes pos=64, which leads to an
OOB read of the jpeg_zigzag_order global then an OOB write to du.
That leads to various unpleasant memory corruption conditions.

Catch where pos >= ARRAY_SIZE(jpeg_zigzag_order) and bail.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2021-03-02 15:54:18 +01:00
..
coreboot coreboot: Split parts that are platform-independent. 2017-05-08 19:10:24 +02:00
emu calloc: Use calloc() at most places 2020-07-29 16:55:47 +02:00
fb video/fb/video_fb: Fix possible integer overflow 2021-03-02 15:54:17 +01:00
i386/pc calloc: Use calloc() at most places 2020-07-29 16:55:47 +02:00
readers video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du() 2021-03-02 15:54:18 +01:00
bitmap_scale.c bitmap_scale: Optimize by moving division out of the loop. 2015-02-26 18:13:36 +01:00
bitmap.c malloc: Use overflow checking primitives where we do complex allocations 2020-07-29 16:55:47 +02:00
bochs.c video/bochs: Fix typo 2020-09-11 15:45:56 +02:00
capture.c calloc: Use calloc() at most places 2020-07-29 16:55:47 +02:00
cirrus.c Document intentional fallthroughs. 2015-01-27 17:17:58 +01:00
colors.c Detach optional parts of gfxterm and integrate in with coreboot init. 2013-05-31 00:42:33 +02:00
efi_gop.c video/efi_gop: Remove unnecessary return value of grub_video_gop_fill_mode_info() 2021-03-02 15:54:17 +01:00
efi_uga.c efi/uga: Use video instead of fb as debug condition 2020-03-10 21:41:38 +01:00
ieee1275.c i386, x86_64, ppc: fix switch fallthrough cases with GCC7 2017-04-04 19:23:55 +03:00
radeon_fuloong2e.c * grub-core/gfxmenu/gui_box.c: Updated to work with area status. 2013-11-08 15:42:38 +04:00
radeon_yeeloong3a.c Add Radeon Yeeloong 3A support. 2013-12-17 22:52:04 +01:00
sis315_init.c Fuloong video init support. 2011-05-16 02:34:58 +02:00
sis315pro.c * grub-core/gfxmenu/gui_box.c: Updated to work with area status. 2013-11-08 15:42:38 +04:00
sm712_init.c merge with mainline 2010-08-19 16:54:00 +05:30
sm712.c * grub-core/gfxmenu/gui_box.c: Updated to work with area status. 2013-11-08 15:42:38 +04:00
video.c video: skip 'text' gfxpayload if not supported, to fallback to default 2019-05-20 13:00:44 +02:00