54 lines
2.0 KiB
Diff
54 lines
2.0 KiB
Diff
|
From 693989598fd38c3c0b2a928f4f64865b5681762f Mon Sep 17 00:00:00 2001
|
||
|
From: Daniel Axtens <dja@axtens.net>
|
||
|
Date: Fri, 15 Jan 2021 12:57:04 +1100
|
||
|
Subject: [PATCH] video/readers/jpeg: Catch files with unsupported quantization
|
||
|
or Huffman tables
|
||
|
|
||
|
Our decoder only supports 2 quantization tables. If a file asks for
|
||
|
a quantization table with index > 1, reject it.
|
||
|
|
||
|
Similarly, our decoder only supports 4 Huffman tables. If a file asks
|
||
|
for a Huffman table with index > 3, reject it.
|
||
|
|
||
|
This fixes some out of bounds reads. It's not clear what degree of control
|
||
|
over subsequent execution could be gained by someone who can carefully
|
||
|
set up the contents of memory before loading an invalid JPEG file.
|
||
|
|
||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||
|
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
|
||
|
---
|
||
|
grub-core/video/readers/jpeg.c | 8 ++++++++
|
||
|
1 file changed, 8 insertions(+)
|
||
|
|
||
|
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
|
||
|
index 0b6ce3c..23f919a 100644
|
||
|
--- a/grub-core/video/readers/jpeg.c
|
||
|
+++ b/grub-core/video/readers/jpeg.c
|
||
|
@@ -333,7 +333,11 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
|
||
|
else if (ss != JPEG_SAMPLING_1x1)
|
||
|
return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
||
|
"jpeg: sampling method not supported");
|
||
|
+
|
||
|
data->comp_index[id][0] = grub_jpeg_get_byte (data);
|
||
|
+ if (data->comp_index[id][0] > 1)
|
||
|
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
||
|
+ "jpeg: too many quantization tables");
|
||
|
}
|
||
|
|
||
|
if (data->file->offset != next_marker)
|
||
|
@@ -602,6 +606,10 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
|
||
|
ht = grub_jpeg_get_byte (data);
|
||
|
data->comp_index[id][1] = (ht >> 4);
|
||
|
data->comp_index[id][2] = (ht & 0xF) + 2;
|
||
|
+
|
||
|
+ if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) ||
|
||
|
+ (data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3))
|
||
|
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index");
|
||
|
}
|
||
|
|
||
|
grub_jpeg_get_byte (data); /* Skip 3 unused bytes. */
|
||
|
--
|
||
|
2.14.2
|
||
|
|