42b3050a74
CVE-2022-28736 CVE-2022-28735 CVE-2022-28734 CVE-2022-28733 CVE-2021-3697 CVE-2021-3696 CVE-2021-3695 Resolves: #2070688 Signed-off-by: Robbie Harwood <rharwood@redhat.com>
36 lines
1.3 KiB
Diff
36 lines
1.3 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Axtens <dja@axtens.net>
|
|
Date: Tue, 13 Jul 2021 13:24:38 +1000
|
|
Subject: [PATCH] normal/charset: Fix array out-of-bounds formatting unicode
|
|
for display
|
|
|
|
In some cases attempting to display arbitrary binary strings leads
|
|
to ASAN splats reading the widthspec array out of bounds.
|
|
|
|
Check the index. If it would be out of bounds, return a width of 1.
|
|
I don't know if that's strictly correct, but we're not really expecting
|
|
great display of arbitrary binary data, and it's certainly not worse than
|
|
an OOB read.
|
|
|
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
(cherry picked from commit fdf32abc7a3928852422c0f291d8cd1dd6b34a8d)
|
|
(cherry picked from commit f2c10aaf335b88a69885375c4d68ffab2429df77)
|
|
---
|
|
grub-core/normal/charset.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
|
|
index 4dfcc31078..7a5a7c153c 100644
|
|
--- a/grub-core/normal/charset.c
|
|
+++ b/grub-core/normal/charset.c
|
|
@@ -395,6 +395,8 @@ grub_unicode_estimate_width (const struct grub_unicode_glyph *c)
|
|
{
|
|
if (grub_unicode_get_comb_type (c->base))
|
|
return 0;
|
|
+ if (((unsigned long) (c->base >> 3)) >= ARRAY_SIZE (widthspec))
|
|
+ return 1;
|
|
if (widthspec[c->base >> 3] & (1 << (c->base & 7)))
|
|
return 2;
|
|
else
|