f0ad2aaa26
Resolves: CVE-2022-28736 CVE-2022-28735 CVE-2022-28734 CVE-2022-28733 Resolves: CVE-2021-3697 CVE-2021-3696 CVE-2021-3695 Signed-off-by: Robbie Harwood <rharwood@redhat.com>
45 lines
1.8 KiB
Diff
45 lines
1.8 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Axtens <dja@axtens.net>
|
|
Date: Mon, 28 Jun 2021 14:25:17 +1000
|
|
Subject: [PATCH] video/readers/jpeg: Refuse to handle multiple start of
|
|
streams
|
|
|
|
An invalid file could contain multiple start of stream blocks, which
|
|
would cause us to reallocate and leak our bitmap. Refuse to handle
|
|
multiple start of streams.
|
|
|
|
Additionally, fix a grub_error() call formatting.
|
|
|
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
(cherry picked from commit f3a854def3e281b7ad4bbea730cd3046de1da52f)
|
|
---
|
|
grub-core/video/readers/jpeg.c | 7 +++++--
|
|
1 file changed, 5 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
|
|
index caa211f06d..1df1171d78 100644
|
|
--- a/grub-core/video/readers/jpeg.c
|
|
+++ b/grub-core/video/readers/jpeg.c
|
|
@@ -677,6 +677,9 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
|
|
if (data->file->offset != data_offset)
|
|
return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: extra byte in sos");
|
|
|
|
+ if (*data->bitmap)
|
|
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: too many start of scan blocks");
|
|
+
|
|
if (grub_video_bitmap_create (data->bitmap, data->image_width,
|
|
data->image_height,
|
|
GRUB_VIDEO_BLIT_FORMAT_RGB_888))
|
|
@@ -699,8 +702,8 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
|
|
nc1 = (data->image_width + hb - 1) >> (3 + data->log_hs);
|
|
|
|
if (data->bitmap_ptr == NULL)
|
|
- return grub_error(GRUB_ERR_BAD_FILE_TYPE,
|
|
- "jpeg: attempted to decode data before start of stream");
|
|
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
|
+ "jpeg: attempted to decode data before start of stream");
|
|
|
|
for (; data->r1 < nr1 && (!data->dri || rst);
|
|
data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
|