grub/files/CVE-2021-3695-video-readers-png-Drop-greyscale-support-to-fix-heap.patch

*4882a593SmuzhiyunFrom e623866d9286410156e8b9d2c82d6253a1b22d08 Mon Sep 17 00:00:00 2001
*4882a593SmuzhiyunFrom: Daniel Axtens <dja@axtens.net>
*4882a593SmuzhiyunDate: Tue, 6 Jul 2021 18:51:35 +1000
*4882a593SmuzhiyunSubject: [PATCH] video/readers/png: Drop greyscale support to fix heap
*4882a593Smuzhiyun out-of-bounds write
*4882a593Smuzhiyun
*4882a593SmuzhiyunA 16-bit greyscale PNG without alpha is processed in the following loop:
*4882a593Smuzhiyun
*4882a593Smuzhiyun      for (i = 0; i < (data->image_width * data->image_height);
*4882a593Smuzhiyun	   i++, d1 += 4, d2 += 2)
*4882a593Smuzhiyun	{
*4882a593Smuzhiyun	  d1[R3] = d2[1];
*4882a593Smuzhiyun	  d1[G3] = d2[1];
*4882a593Smuzhiyun	  d1[B3] = d2[1];
*4882a593Smuzhiyun	}
*4882a593Smuzhiyun
*4882a593SmuzhiyunThe increment of d1 is wrong. d1 is incremented by 4 bytes per iteration,
*4882a593Smuzhiyunbut there are only 3 bytes allocated for storage. This means that image
*4882a593Smuzhiyundata will overwrite somewhat-attacker-controlled parts of memory - 3 bytes
*4882a593Smuzhiyunout of every 4 following the end of the image.
*4882a593Smuzhiyun
*4882a593SmuzhiyunThis has existed since greyscale support was added in 2013 in commit
*4882a593Smuzhiyun3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale).
*4882a593Smuzhiyun
*4882a593SmuzhiyunSaving starfield.png as a 16-bit greyscale image without alpha in the gimp
*4882a593Smuzhiyunand attempting to load it causes grub-emu to crash - I don't think this code
*4882a593Smuzhiyunhas ever worked.
*4882a593Smuzhiyun
*4882a593SmuzhiyunDelete all PNG greyscale support.
*4882a593Smuzhiyun
*4882a593SmuzhiyunFixes: CVE-2021-3695
*4882a593Smuzhiyun
*4882a593SmuzhiyunSigned-off-by: Daniel Axtens <dja@axtens.net>
*4882a593SmuzhiyunReviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
*4882a593Smuzhiyun
*4882a593SmuzhiyunUpstream-Status: Backport
*4882a593SmuzhiyunCVE: CVE-2021-3695
*4882a593Smuzhiyun
*4882a593SmuzhiyunReference to upstream patch:
*4882a593Smuzhiyunhttps://git.savannah.gnu.org/cgit/grub.git/commit/?id=e623866d9286410156e8b9d2c82d6253a1b22d08
*4882a593Smuzhiyun
*4882a593SmuzhiyunSigned-off-by: Yongxin Liu <yongxin.liu@windriver.com>
*4882a593Smuzhiyun---
*4882a593Smuzhiyun grub-core/video/readers/png.c | 87 +++--------------------------------
*4882a593Smuzhiyun 1 file changed, 7 insertions(+), 80 deletions(-)
*4882a593Smuzhiyun
*4882a593Smuzhiyundiff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
*4882a593Smuzhiyunindex 35ae553c8..a3161e25b 100644
*4882a593Smuzhiyun--- a/grub-core/video/readers/png.c
*4882a593Smuzhiyun+++ b/grub-core/video/readers/png.c
*4882a593Smuzhiyun@@ -100,7 +100,7 @@ struct grub_png_data
*4882a593Smuzhiyun
*4882a593Smuzhiyun   unsigned image_width, image_height;
*4882a593Smuzhiyun   int bpp, is_16bit;
*4882a593Smuzhiyun-  int raw_bytes, is_gray, is_alpha, is_palette;
*4882a593Smuzhiyun+  int raw_bytes, is_alpha, is_palette;
*4882a593Smuzhiyun   int row_bytes, color_bits;
*4882a593Smuzhiyun   grub_uint8_t *image_data;
*4882a593Smuzhiyun
*4882a593Smuzhiyun@@ -296,13 +296,13 @@ grub_png_decode_image_header (struct grub_png_data *data)
*4882a593Smuzhiyun     data->bpp = 3;
*4882a593Smuzhiyun   else
*4882a593Smuzhiyun     {
*4882a593Smuzhiyun-      data->is_gray = 1;
*4882a593Smuzhiyun-      data->bpp = 1;
*4882a593Smuzhiyun+      return grub_error (GRUB_ERR_BAD_FILE_TYPE,
*4882a593Smuzhiyun+			 "png: color type not supported");
*4882a593Smuzhiyun     }
*4882a593Smuzhiyun
*4882a593Smuzhiyun   if ((color_bits != 8) && (color_bits != 16)
*4882a593Smuzhiyun       && (color_bits != 4
*4882a593Smuzhiyun-	  || !(data->is_gray || data->is_palette)))
*4882a593Smuzhiyun+	  || !data->is_palette))
*4882a593Smuzhiyun     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
*4882a593Smuzhiyun                        "png: bit depth must be 8 or 16");
*4882a593Smuzhiyun
*4882a593Smuzhiyun@@ -331,7 +331,7 @@ grub_png_decode_image_header (struct grub_png_data *data)
*4882a593Smuzhiyun     }
*4882a593Smuzhiyun
*4882a593Smuzhiyun #ifndef GRUB_CPU_WORDS_BIGENDIAN
*4882a593Smuzhiyun-  if (data->is_16bit || data->is_gray || data->is_palette)
*4882a593Smuzhiyun+  if (data->is_16bit || data->is_palette)
*4882a593Smuzhiyun #endif
*4882a593Smuzhiyun     {
*4882a593Smuzhiyun       data->image_data = grub_calloc (data->image_height, data->row_bytes);
*4882a593Smuzhiyun@@ -899,27 +899,8 @@ grub_png_convert_image (struct grub_png_data *data)
*4882a593Smuzhiyun       int shift;
*4882a593Smuzhiyun       int mask = (1 << data->color_bits) - 1;
*4882a593Smuzhiyun       unsigned j;
*4882a593Smuzhiyun-      if (data->is_gray)
*4882a593Smuzhiyun-	{
*4882a593Smuzhiyun-	  /* Generic formula is
*4882a593Smuzhiyun-	     (0xff * i) / ((1U << data->color_bits) - 1)
*4882a593Smuzhiyun-	     but for allowed bit depth of 1, 2 and for it's
*4882a593Smuzhiyun-	     equivalent to
*4882a593Smuzhiyun-	     (0xff / ((1U << data->color_bits) - 1)) * i
*4882a593Smuzhiyun-	     Precompute the multipliers to avoid division.
*4882a593Smuzhiyun-	  */
*4882a593Smuzhiyun-
*4882a593Smuzhiyun-	  const grub_uint8_t multipliers[5] = { 0xff, 0xff, 0x55, 0x24, 0x11 };
*4882a593Smuzhiyun-	  for (i = 0; i < (1U << data->color_bits); i++)
*4882a593Smuzhiyun-	    {
*4882a593Smuzhiyun-	      grub_uint8_t col = multipliers[data->color_bits] * i;
*4882a593Smuzhiyun-	      palette[i][0] = col;
*4882a593Smuzhiyun-	      palette[i][1] = col;
*4882a593Smuzhiyun-	      palette[i][2] = col;
*4882a593Smuzhiyun-	    }
*4882a593Smuzhiyun-	}
*4882a593Smuzhiyun-      else
*4882a593Smuzhiyun-	grub_memcpy (palette, data->palette, 3 << data->color_bits);
*4882a593Smuzhiyun+
*4882a593Smuzhiyun+      grub_memcpy (palette, data->palette, 3 << data->color_bits);
*4882a593Smuzhiyun       d1c = d1;
*4882a593Smuzhiyun       d2c = d2;
*4882a593Smuzhiyun       for (j = 0; j < data->image_height; j++, d1c += data->image_width * 3,
*4882a593Smuzhiyun@@ -957,60 +938,6 @@ grub_png_convert_image (struct grub_png_data *data)
*4882a593Smuzhiyun       return;
*4882a593Smuzhiyun     }
*4882a593Smuzhiyun
*4882a593Smuzhiyun-  if (data->is_gray)
*4882a593Smuzhiyun-    {
*4882a593Smuzhiyun-      switch (data->bpp)
*4882a593Smuzhiyun-	{
*4882a593Smuzhiyun-	case 4:
*4882a593Smuzhiyun-	  /* 16-bit gray with alpha.  */
*4882a593Smuzhiyun-	  for (i = 0; i < (data->image_width * data->image_height);
*4882a593Smuzhiyun-	       i++, d1 += 4, d2 += 4)
*4882a593Smuzhiyun-	    {
*4882a593Smuzhiyun-	      d1[R4] = d2[3];
*4882a593Smuzhiyun-	      d1[G4] = d2[3];
*4882a593Smuzhiyun-	      d1[B4] = d2[3];
*4882a593Smuzhiyun-	      d1[A4] = d2[1];
*4882a593Smuzhiyun-	    }
*4882a593Smuzhiyun-	  break;
*4882a593Smuzhiyun-	case 2:
*4882a593Smuzhiyun-	  if (data->is_16bit)
*4882a593Smuzhiyun-	    /* 16-bit gray without alpha.  */
*4882a593Smuzhiyun-	    {
*4882a593Smuzhiyun-	      for (i = 0; i < (data->image_width * data->image_height);
*4882a593Smuzhiyun-		   i++, d1 += 4, d2 += 2)
*4882a593Smuzhiyun-		{
*4882a593Smuzhiyun-		  d1[R3] = d2[1];
*4882a593Smuzhiyun-		  d1[G3] = d2[1];
*4882a593Smuzhiyun-		  d1[B3] = d2[1];
*4882a593Smuzhiyun-		}
*4882a593Smuzhiyun-	    }
*4882a593Smuzhiyun-	  else
*4882a593Smuzhiyun-	    /* 8-bit gray with alpha.  */
*4882a593Smuzhiyun-	    {
*4882a593Smuzhiyun-	      for (i = 0; i < (data->image_width * data->image_height);
*4882a593Smuzhiyun-		   i++, d1 += 4, d2 += 2)
*4882a593Smuzhiyun-		{
*4882a593Smuzhiyun-		  d1[R4] = d2[1];
*4882a593Smuzhiyun-		  d1[G4] = d2[1];
*4882a593Smuzhiyun-		  d1[B4] = d2[1];
*4882a593Smuzhiyun-		  d1[A4] = d2[0];
*4882a593Smuzhiyun-		}
*4882a593Smuzhiyun-	    }
*4882a593Smuzhiyun-	  break;
*4882a593Smuzhiyun-	  /* 8-bit gray without alpha.  */
*4882a593Smuzhiyun-	case 1:
*4882a593Smuzhiyun-	  for (i = 0; i < (data->image_width * data->image_height);
*4882a593Smuzhiyun-	       i++, d1 += 3, d2++)
*4882a593Smuzhiyun-	    {
*4882a593Smuzhiyun-	      d1[R3] = d2[0];
*4882a593Smuzhiyun-	      d1[G3] = d2[0];
*4882a593Smuzhiyun-	      d1[B3] = d2[0];
*4882a593Smuzhiyun-	    }
*4882a593Smuzhiyun-	  break;
*4882a593Smuzhiyun-	}
*4882a593Smuzhiyun-      return;
*4882a593Smuzhiyun-    }
*4882a593Smuzhiyun-
*4882a593Smuzhiyun     {
*4882a593Smuzhiyun   /* Only copy the upper 8 bit.  */
*4882a593Smuzhiyun #ifndef GRUB_CPU_WORDS_BIGENDIAN
*4882a593Smuzhiyun--
*4882a593Smuzhiyun2.34.1
*4882a593Smuzhiyun