1From 210245129c932dc9e1c2748d9d35524fb95b5042 Mon Sep 17 00:00:00 2001 2From: Daniel Axtens <dja@axtens.net> 3Date: Tue, 6 Jul 2021 23:25:07 +1000 4Subject: [PATCH] video/readers/png: Avoid heap OOB R/W inserting huff table 5 items 6 7In fuzzing we observed crashes where a code would attempt to be inserted 8into a huffman table before the start, leading to a set of heap OOB reads 9and writes as table entries with negative indices were shifted around and 10the new code written in. 11 12Catch the case where we would underflow the array and bail. 13 14Fixes: CVE-2021-3696 15 16Signed-off-by: Daniel Axtens <dja@axtens.net> 17Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 18 19Upstream-Status: Backport 20CVE: CVE-2021-3696 21 22Reference to upstream patch: 23https://git.savannah.gnu.org/cgit/grub.git/commit/?id=210245129c932dc9e1c2748d9d35524fb95b5042 24 25Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> 26--- 27 grub-core/video/readers/png.c | 7 +++++++ 28 1 file changed, 7 insertions(+) 29 30diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c 31index a3161e25b..d7ed5aa6c 100644 32--- a/grub-core/video/readers/png.c 33+++ b/grub-core/video/readers/png.c 34@@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len) 35 for (i = len; i < ht->max_length; i++) 36 n += ht->maxval[i]; 37 38+ if (n > ht->num_values) 39+ { 40+ grub_error (GRUB_ERR_BAD_FILE_TYPE, 41+ "png: out of range inserting huffman table item"); 42+ return; 43+ } 44+ 45 for (i = 0; i < n; i++) 46 ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1]; 47 48-- 492.34.1 50 51