From 34b85a6e07014383ddcad09f99ff239ad752dd1a Mon Sep 17 00:00:00 2001 From: Daniel Axtens Date: Fri, 15 Jan 2021 13:29:53 +1100 Subject: [PATCH] video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du() The key line is: du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos]; jpeg_zigzag_order is grub_uint8_t[64]. I don't understand JPEG decoders quite well enough to explain what's going on here. However, I observe sometimes pos=64, which leads to an OOB read of the jpeg_zigzag_order global then an OOB write to du. That leads to various unpleasant memory corruption conditions. Catch where pos >= ARRAY_SIZE(jpeg_zigzag_order) and bail. Signed-off-by: Daniel Axtens Reviewed-by: Daniel Kiper Signed-off-by: Stefan Sørensen --- grub-core/video/readers/jpeg.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c index 23f919a..e514812 100644 --- a/grub-core/video/readers/jpeg.c +++ b/grub-core/video/readers/jpeg.c @@ -526,6 +526,14 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du) val = grub_jpeg_get_number (data, num & 0xF); num >>= 4; pos += num; + + if (pos >= ARRAY_SIZE (jpeg_zigzag_order)) + { + grub_error (GRUB_ERR_BAD_FILE_TYPE, + "jpeg: invalid position in zigzag order!?"); + return; + } + du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos]; pos++; } -- 2.14.2