Z572/grub
1
0
Fork 0
mirror of http://cgit.git.savannah.gnu.org/git/grub.git synced 2026-04-28 06:33:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

video/readers/png: Avoid heap OOB R/W inserting huff table items

Browse Source 
In fuzzing we observed crashes where a code would attempt to be inserted
into a huffman table before the start, leading to a set of heap OOB reads
and writes as table entries with negative indices were shifted around and
the new code written in.

Catch the case where we would underflow the array and bail.

Fixes: CVE-2021-3696

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
Daniel Axtens
2021-07-06 23:25:07 +10:00
committed by Daniel Kiper
parent e623866d92
commit 210245129c
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
grub-core/video/readers/png.c
View File

@@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len)
for (i = len; i < ht->max_length; i++)
n += ht->maxval[i];
if (n > ht->num_values)
{
grub_error (GRUB_ERR_BAD_FILE_TYPE,
"png: out of range inserting huffman table item");
return;
}
for (i = 0; i < n; i++)
ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];