1From 5f5eb7ca8e971227e95745abe541df3e1509360e Mon Sep 17 00:00:00 2001 2From: Darren Kenny <darren.kenny@oracle.com> 3Date: Fri, 4 Dec 2020 15:39:00 +0000 4Subject: [PATCH] video/readers/jpeg: Test for an invalid next marker reference 5 from a jpeg file 6 7While it may never happen, and potentially could be caught at the end of 8the function, it is worth checking up front for a bad reference to the 9next marker just in case of a maliciously crafted file being provided. 10 11Fixes: CID 73694 12 13Signed-off-by: Darren Kenny <darren.kenny@oracle.com> 14Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 15Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 16--- 17 grub-core/video/readers/jpeg.c | 6 ++++++ 18 1 file changed, 6 insertions(+) 19 20diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c 21index 31359a4..0b6ce3c 100644 22--- a/grub-core/video/readers/jpeg.c 23+++ b/grub-core/video/readers/jpeg.c 24@@ -253,6 +253,12 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data) 25 next_marker = data->file->offset; 26 next_marker += grub_jpeg_get_word (data); 27 28+ if (next_marker > data->file->size) 29+ { 30+ /* Should never be set beyond the size of the file. */ 31+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid next reference"); 32+ } 33+ 34 while (data->file->offset + sizeof (data->quan_table[id]) + 1 35 <= next_marker) 36 { 37-- 382.14.2 39 40