1From 22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6 Mon Sep 17 00:00:00 2001
2From: Daniel Axtens <dja@axtens.net>
3Date: Wed, 7 Jul 2021 15:38:19 +1000
4Subject: [PATCH] video/readers/jpeg: Block int underflow -> wild pointer write
5
6Certain 1 px wide images caused a wild pointer write in
7grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(),
8we have the following loop:
9
10for (; data->r1 < nr1 && (!data->dri || rst);
11     data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
12
13We did not check if vb * width >= hb * nc1.
14
15On a 64-bit platform, if that turns out to be negative, it will underflow,
16be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so
17we see data->bitmap_ptr jump, e.g.:
18
190x6180_0000_0480 to
200x6181_0000_0498
21     ^
22     ~--- carry has occurred and this pointer is now far away from
23          any object.
24
25On a 32-bit platform, it will decrement the pointer, creating a pointer
26that won't crash but will overwrite random data.
27
28Catch the underflow and error out.
29
30Fixes: CVE-2021-3697
31
32Signed-off-by: Daniel Axtens <dja@axtens.net>
33Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
34
35Upstream-Status: Backport
36CVE: CVE-2021-3697
37
38Reference to upstream patch:
39https://git.savannah.gnu.org/cgit/grub.git/commit/?id=22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6
40
41Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
42---
43 grub-core/video/readers/jpeg.c | 10 +++++++++-
44 1 file changed, 9 insertions(+), 1 deletion(-)
45
46diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
47index 579bbe8a4..09596fbf5 100644
48--- a/grub-core/video/readers/jpeg.c
49+++ b/grub-core/video/readers/jpeg.c
50@@ -23,6 +23,7 @@
51 #include <grub/mm.h>
52 #include <grub/misc.h>
53 #include <grub/bufio.h>
54+#include <grub/safemath.h>
55
56 GRUB_MOD_LICENSE ("GPLv3+");
57
58@@ -699,6 +700,7 @@ static grub_err_t
59 grub_jpeg_decode_data (struct grub_jpeg_data *data)
60 {
61   unsigned c1, vb, hb, nr1, nc1;
62+  unsigned stride_a, stride_b, stride;
63   int rst = data->dri;
64   grub_err_t err = GRUB_ERR_NONE;
65
66@@ -711,8 +713,14 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
67     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
68 		       "jpeg: attempted to decode data before start of stream");
69
70+  if (grub_mul(vb, data->image_width, &stride_a) ||
71+      grub_mul(hb, nc1, &stride_b) ||
72+      grub_sub(stride_a, stride_b, &stride))
73+    return grub_error (GRUB_ERR_BAD_FILE_TYPE,
74+		       "jpeg: cannot decode image with these dimensions");
75+
76   for (; data->r1 < nr1 && (!data->dri || rst);
77-       data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
78+       data->r1++, data->bitmap_ptr += stride * 3)
79     for (c1 = 0;  c1 < nc1 && (!data->dri || rst);
80 	c1++, rst--, data->bitmap_ptr += hb * 3)
81       {
82--
832.34.1
84
85