video/readers/jpeg: Block int underflow -> wild pointer write (a10c2350) · Commits · PureOS / Core Packages / Grub

Commit a10c2350 authored 3 years ago by Daniel Axtens Committed by Julian Andres Klode 2 years ago

video/readers/jpeg: Block int underflow -> wild pointer write


Certain 1 px wide images caused a wild pointer write in
grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(),
we have the following loop:

for (; data->r1 < nr1 && (!data->dri || rst);
     data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)

We did not check if vb * width >= hb * nc1.

On a 64-bit platform, if that turns out to be negative, it will underflow,
be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so
we see data->bitmap_ptr jump, e.g.:

0x6180_0000_0480 to
0x6181_0000_0498
     ^
     ~--- carry has occurred and this pointer is now far away from
          any object.

On a 32-bit platform, it will decrement the pointer, creating a pointer
that won't crash but will overwrite random data.

Catch the underflow and error out.

Fixes: CVE-2021-3697

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

parent 9286f000

No related branches found

No related tags found

No related merge requests found

Hide whitespace changes

Inline Side-by-side

Showing with 9 additions and 1 deletion

Please register or to comment

Admin message

Admin message

video/readers/jpeg: Block int underflow -> wild pointer write