1From e8060722acf0bcca037982d7fb29472363ccdfd4 Mon Sep 17 00:00:00 2001 2From: Zhang Boyang <zhangboyang.id@gmail.com> 3Date: Fri, 5 Aug 2022 01:58:27 +0800 4Subject: [PATCH] font: Fix several integer overflows in 5 grub_font_construct_glyph() 6 7This patch fixes several integer overflows in grub_font_construct_glyph(). 8Glyphs of invalid size, zero or leading to an overflow, are rejected. 9The inconsistency between "glyph" and "max_glyph_size" when grub_malloc() 10returns NULL is fixed too. 11 12Fixes: CVE-2022-2601 13 14Reported-by: Zhang Boyang <zhangboyang.id@gmail.com> 15Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> 16Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 17 18Upstream-Status: Backport from 19[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=768e1ef2fc159f6e14e7246e4be09363708ac39e] 20CVE: CVE-2022-2601 21 22Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> 23 24--- 25 grub-core/font/font.c | 29 +++++++++++++++++------------ 26 1 file changed, 17 insertions(+), 12 deletions(-) 27 28diff --git a/grub-core/font/font.c b/grub-core/font/font.c 29index 876b5b6..0ff5525 100644 30--- a/grub-core/font/font.c 31+++ b/grub-core/font/font.c 32@@ -1515,6 +1515,7 @@ grub_font_construct_glyph (grub_font_t hinted_font, 33 struct grub_video_signed_rect bounds; 34 static struct grub_font_glyph *glyph = 0; 35 static grub_size_t max_glyph_size = 0; 36+ grub_size_t cur_glyph_size; 37 38 ensure_comb_space (glyph_id); 39 40@@ -1531,29 +1532,33 @@ grub_font_construct_glyph (grub_font_t hinted_font, 41 if (!glyph_id->ncomb && !glyph_id->attributes) 42 return main_glyph; 43 44- if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) 45+ if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) || 46+ grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size)) 47+ return main_glyph; 48+ 49+ if (max_glyph_size < cur_glyph_size) 50 { 51 grub_free (glyph); 52- max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2; 53- if (max_glyph_size < 8) 54- max_glyph_size = 8; 55- glyph = grub_malloc (max_glyph_size); 56+ if (grub_mul (cur_glyph_size, 2, &max_glyph_size)) 57+ max_glyph_size = 0; 58+ glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL; 59 } 60 if (!glyph) 61 { 62+ max_glyph_size = 0; 63 grub_errno = GRUB_ERR_NONE; 64 return main_glyph; 65 } 66 67- grub_memset (glyph, 0, sizeof (*glyph) 68- + (bounds.width * bounds.height 69- + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT); 70+ grub_memset (glyph, 0, cur_glyph_size); 71 72 glyph->font = main_glyph->font; 73- glyph->width = bounds.width; 74- glyph->height = bounds.height; 75- glyph->offset_x = bounds.x; 76- glyph->offset_y = bounds.y; 77+ if (bounds.width == 0 || bounds.height == 0 || 78+ grub_cast (bounds.width, &glyph->width) || 79+ grub_cast (bounds.height, &glyph->height) || 80+ grub_cast (bounds.x, &glyph->offset_x) || 81+ grub_cast (bounds.y, &glyph->offset_y)) 82+ return main_glyph; 83 84 if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR) 85 grub_font_blit_glyph_mirror (glyph, main_glyph, 86