1*4882a593SmuzhiyunFrom 693989598fd38c3c0b2a928f4f64865b5681762f Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Daniel Axtens <dja@axtens.net> 3*4882a593SmuzhiyunDate: Fri, 15 Jan 2021 12:57:04 +1100 4*4882a593SmuzhiyunSubject: [PATCH] video/readers/jpeg: Catch files with unsupported quantization 5*4882a593Smuzhiyun or Huffman tables 6*4882a593Smuzhiyun 7*4882a593SmuzhiyunOur decoder only supports 2 quantization tables. If a file asks for 8*4882a593Smuzhiyuna quantization table with index > 1, reject it. 9*4882a593Smuzhiyun 10*4882a593SmuzhiyunSimilarly, our decoder only supports 4 Huffman tables. If a file asks 11*4882a593Smuzhiyunfor a Huffman table with index > 3, reject it. 12*4882a593Smuzhiyun 13*4882a593SmuzhiyunThis fixes some out of bounds reads. It's not clear what degree of control 14*4882a593Smuzhiyunover subsequent execution could be gained by someone who can carefully 15*4882a593Smuzhiyunset up the contents of memory before loading an invalid JPEG file. 16*4882a593Smuzhiyun 17*4882a593SmuzhiyunSigned-off-by: Daniel Axtens <dja@axtens.net> 18*4882a593SmuzhiyunReviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 19*4882a593SmuzhiyunSigned-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 20*4882a593Smuzhiyun--- 21*4882a593Smuzhiyun grub-core/video/readers/jpeg.c | 8 ++++++++ 22*4882a593Smuzhiyun 1 file changed, 8 insertions(+) 23*4882a593Smuzhiyun 24*4882a593Smuzhiyundiff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c 25*4882a593Smuzhiyunindex 0b6ce3c..23f919a 100644 26*4882a593Smuzhiyun--- a/grub-core/video/readers/jpeg.c 27*4882a593Smuzhiyun+++ b/grub-core/video/readers/jpeg.c 28*4882a593Smuzhiyun@@ -333,7 +333,11 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data) 29*4882a593Smuzhiyun else if (ss != JPEG_SAMPLING_1x1) 30*4882a593Smuzhiyun return grub_error (GRUB_ERR_BAD_FILE_TYPE, 31*4882a593Smuzhiyun "jpeg: sampling method not supported"); 32*4882a593Smuzhiyun+ 33*4882a593Smuzhiyun data->comp_index[id][0] = grub_jpeg_get_byte (data); 34*4882a593Smuzhiyun+ if (data->comp_index[id][0] > 1) 35*4882a593Smuzhiyun+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, 36*4882a593Smuzhiyun+ "jpeg: too many quantization tables"); 37*4882a593Smuzhiyun } 38*4882a593Smuzhiyun 39*4882a593Smuzhiyun if (data->file->offset != next_marker) 40*4882a593Smuzhiyun@@ -602,6 +606,10 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data) 41*4882a593Smuzhiyun ht = grub_jpeg_get_byte (data); 42*4882a593Smuzhiyun data->comp_index[id][1] = (ht >> 4); 43*4882a593Smuzhiyun data->comp_index[id][2] = (ht & 0xF) + 2; 44*4882a593Smuzhiyun+ 45*4882a593Smuzhiyun+ if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) || 46*4882a593Smuzhiyun+ (data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3)) 47*4882a593Smuzhiyun+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index"); 48*4882a593Smuzhiyun } 49*4882a593Smuzhiyun 50*4882a593Smuzhiyun grub_jpeg_get_byte (data); /* Skip 3 unused bytes. */ 51*4882a593Smuzhiyun-- 52*4882a593Smuzhiyun2.14.2 53*4882a593Smuzhiyun 54