1From 73bc7a964c9496d5b0f00dbd69959dacf5adcebe Mon Sep 17 00:00:00 2001 2From: Daniel Kiper <daniel.kiper@oracle.com> 3Date: Tue, 7 Jul 2020 15:36:26 +0200 4Subject: [PATCH] font: Do not load more than one NAME section 5MIME-Version: 1.0 6Content-Type: text/plain; charset=UTF-8 7Content-Transfer-Encoding: 8bit 8 9The GRUB font file can have one NAME section only. Though if somebody 10crafts a broken font file with many NAME sections and loads it then the 11GRUB leaks memory. So, prevent against that by loading first NAME 12section and failing in controlled way on following one. 13 14Reported-by: Chris Coulson <chris.coulson@canonical.com> 15Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com> 16Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com> 17Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 18--- 19 grub-core/font/font.c | 6 ++++++ 20 1 file changed, 6 insertions(+) 21 22diff --git a/grub-core/font/font.c b/grub-core/font/font.c 23index 5edb477ac..d09bb38d8 100644 24--- a/grub-core/font/font.c 25+++ b/grub-core/font/font.c 26@@ -532,6 +532,12 @@ grub_font_load (const char *filename) 27 if (grub_memcmp (section.name, FONT_FORMAT_SECTION_NAMES_FONT_NAME, 28 sizeof (FONT_FORMAT_SECTION_NAMES_FONT_NAME) - 1) == 0) 29 { 30+ if (font->name != NULL) 31+ { 32+ grub_error (GRUB_ERR_BAD_FONT, "invalid font file: too many NAME sections"); 33+ goto fail; 34+ } 35+ 36 font->name = read_section_as_string (§ion); 37 if (!font->name) 38 goto fail; 39-- 402.26.2 41 42