1*4882a593SmuzhiyunFrom d5caac8ab79d068ad9a41030c772d03a4d4fbd7b Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Daniel Axtens <dja@axtens.net> 3*4882a593SmuzhiyunDate: Mon, 28 Jun 2021 14:16:14 +1000 4*4882a593SmuzhiyunSubject: [PATCH] video/readers/jpeg: Abort sooner if a read operation fails 5*4882a593Smuzhiyun 6*4882a593SmuzhiyunFuzzing revealed some inputs that were taking a long time, potentially 7*4882a593Smuzhiyunforever, because they did not bail quickly upon encountering an I/O error. 8*4882a593Smuzhiyun 9*4882a593SmuzhiyunTry to catch I/O errors sooner and bail out. 10*4882a593Smuzhiyun 11*4882a593SmuzhiyunSigned-off-by: Daniel Axtens <dja@axtens.net> 12*4882a593SmuzhiyunReviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 13*4882a593Smuzhiyun 14*4882a593SmuzhiyunUpstream-Status: Backport 15*4882a593Smuzhiyun 16*4882a593SmuzhiyunReference to upstream patch: 17*4882a593Smuzhiyunhttps://git.savannah.gnu.org/cgit/grub.git/commit/?id=d5caac8ab79d068ad9a41030c772d03a4d4fbd7b 18*4882a593Smuzhiyun 19*4882a593SmuzhiyunSigned-off-by: Yongxin Liu <yongxin.liu@windriver.com> 20*4882a593Smuzhiyun--- 21*4882a593Smuzhiyun grub-core/video/readers/jpeg.c | 86 +++++++++++++++++++++++++++------- 22*4882a593Smuzhiyun 1 file changed, 70 insertions(+), 16 deletions(-) 23*4882a593Smuzhiyun 24*4882a593Smuzhiyundiff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c 25*4882a593Smuzhiyunindex c47ffd651..806c56c78 100644 26*4882a593Smuzhiyun--- a/grub-core/video/readers/jpeg.c 27*4882a593Smuzhiyun+++ b/grub-core/video/readers/jpeg.c 28*4882a593Smuzhiyun@@ -109,9 +109,17 @@ static grub_uint8_t 29*4882a593Smuzhiyun grub_jpeg_get_byte (struct grub_jpeg_data *data) 30*4882a593Smuzhiyun { 31*4882a593Smuzhiyun grub_uint8_t r; 32*4882a593Smuzhiyun+ grub_ssize_t bytes_read; 33*4882a593Smuzhiyun 34*4882a593Smuzhiyun r = 0; 35*4882a593Smuzhiyun- grub_file_read (data->file, &r, 1); 36*4882a593Smuzhiyun+ bytes_read = grub_file_read (data->file, &r, 1); 37*4882a593Smuzhiyun+ 38*4882a593Smuzhiyun+ if (bytes_read != 1) 39*4882a593Smuzhiyun+ { 40*4882a593Smuzhiyun+ grub_error (GRUB_ERR_BAD_FILE_TYPE, 41*4882a593Smuzhiyun+ "jpeg: unexpected end of data"); 42*4882a593Smuzhiyun+ return 0; 43*4882a593Smuzhiyun+ } 44*4882a593Smuzhiyun 45*4882a593Smuzhiyun return r; 46*4882a593Smuzhiyun } 47*4882a593Smuzhiyun@@ -120,9 +128,17 @@ static grub_uint16_t 48*4882a593Smuzhiyun grub_jpeg_get_word (struct grub_jpeg_data *data) 49*4882a593Smuzhiyun { 50*4882a593Smuzhiyun grub_uint16_t r; 51*4882a593Smuzhiyun+ grub_ssize_t bytes_read; 52*4882a593Smuzhiyun 53*4882a593Smuzhiyun r = 0; 54*4882a593Smuzhiyun- grub_file_read (data->file, &r, sizeof (grub_uint16_t)); 55*4882a593Smuzhiyun+ bytes_read = grub_file_read (data->file, &r, sizeof (grub_uint16_t)); 56*4882a593Smuzhiyun+ 57*4882a593Smuzhiyun+ if (bytes_read != sizeof (grub_uint16_t)) 58*4882a593Smuzhiyun+ { 59*4882a593Smuzhiyun+ grub_error (GRUB_ERR_BAD_FILE_TYPE, 60*4882a593Smuzhiyun+ "jpeg: unexpected end of data"); 61*4882a593Smuzhiyun+ return 0; 62*4882a593Smuzhiyun+ } 63*4882a593Smuzhiyun 64*4882a593Smuzhiyun return grub_be_to_cpu16 (r); 65*4882a593Smuzhiyun } 66*4882a593Smuzhiyun@@ -135,6 +151,11 @@ grub_jpeg_get_bit (struct grub_jpeg_data *data) 67*4882a593Smuzhiyun if (data->bit_mask == 0) 68*4882a593Smuzhiyun { 69*4882a593Smuzhiyun data->bit_save = grub_jpeg_get_byte (data); 70*4882a593Smuzhiyun+ if (grub_errno != GRUB_ERR_NONE) { 71*4882a593Smuzhiyun+ grub_error (GRUB_ERR_BAD_FILE_TYPE, 72*4882a593Smuzhiyun+ "jpeg: file read error"); 73*4882a593Smuzhiyun+ return 0; 74*4882a593Smuzhiyun+ } 75*4882a593Smuzhiyun if (data->bit_save == JPEG_ESC_CHAR) 76*4882a593Smuzhiyun { 77*4882a593Smuzhiyun if (grub_jpeg_get_byte (data) != 0) 78*4882a593Smuzhiyun@@ -143,6 +164,11 @@ grub_jpeg_get_bit (struct grub_jpeg_data *data) 79*4882a593Smuzhiyun "jpeg: invalid 0xFF in data stream"); 80*4882a593Smuzhiyun return 0; 81*4882a593Smuzhiyun } 82*4882a593Smuzhiyun+ if (grub_errno != GRUB_ERR_NONE) 83*4882a593Smuzhiyun+ { 84*4882a593Smuzhiyun+ grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: file read error"); 85*4882a593Smuzhiyun+ return 0; 86*4882a593Smuzhiyun+ } 87*4882a593Smuzhiyun } 88*4882a593Smuzhiyun data->bit_mask = 0x80; 89*4882a593Smuzhiyun } 90*4882a593Smuzhiyun@@ -161,7 +187,7 @@ grub_jpeg_get_number (struct grub_jpeg_data *data, int num) 91*4882a593Smuzhiyun return 0; 92*4882a593Smuzhiyun 93*4882a593Smuzhiyun msb = value = grub_jpeg_get_bit (data); 94*4882a593Smuzhiyun- for (i = 1; i < num; i++) 95*4882a593Smuzhiyun+ for (i = 1; i < num && grub_errno == GRUB_ERR_NONE; i++) 96*4882a593Smuzhiyun value = (value << 1) + (grub_jpeg_get_bit (data) != 0); 97*4882a593Smuzhiyun if (!msb) 98*4882a593Smuzhiyun value += 1 - (1 << num); 99*4882a593Smuzhiyun@@ -208,6 +234,8 @@ grub_jpeg_decode_huff_table (struct grub_jpeg_data *data) 100*4882a593Smuzhiyun while (data->file->offset + sizeof (count) + 1 <= next_marker) 101*4882a593Smuzhiyun { 102*4882a593Smuzhiyun id = grub_jpeg_get_byte (data); 103*4882a593Smuzhiyun+ if (grub_errno != GRUB_ERR_NONE) 104*4882a593Smuzhiyun+ return grub_errno; 105*4882a593Smuzhiyun ac = (id >> 4) & 1; 106*4882a593Smuzhiyun id &= 0xF; 107*4882a593Smuzhiyun if (id > 1) 108*4882a593Smuzhiyun@@ -258,6 +286,8 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data) 109*4882a593Smuzhiyun 110*4882a593Smuzhiyun next_marker = data->file->offset; 111*4882a593Smuzhiyun next_marker += grub_jpeg_get_word (data); 112*4882a593Smuzhiyun+ if (grub_errno != GRUB_ERR_NONE) 113*4882a593Smuzhiyun+ return grub_errno; 114*4882a593Smuzhiyun 115*4882a593Smuzhiyun if (next_marker > data->file->size) 116*4882a593Smuzhiyun { 117*4882a593Smuzhiyun@@ -269,6 +299,8 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data) 118*4882a593Smuzhiyun <= next_marker) 119*4882a593Smuzhiyun { 120*4882a593Smuzhiyun id = grub_jpeg_get_byte (data); 121*4882a593Smuzhiyun+ if (grub_errno != GRUB_ERR_NONE) 122*4882a593Smuzhiyun+ return grub_errno; 123*4882a593Smuzhiyun if (id >= 0x10) /* Upper 4-bit is precision. */ 124*4882a593Smuzhiyun return grub_error (GRUB_ERR_BAD_FILE_TYPE, 125*4882a593Smuzhiyun "jpeg: only 8-bit precision is supported"); 126*4882a593Smuzhiyun@@ -300,6 +332,9 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data) 127*4882a593Smuzhiyun next_marker = data->file->offset; 128*4882a593Smuzhiyun next_marker += grub_jpeg_get_word (data); 129*4882a593Smuzhiyun 130*4882a593Smuzhiyun+ if (grub_errno != GRUB_ERR_NONE) 131*4882a593Smuzhiyun+ return grub_errno; 132*4882a593Smuzhiyun+ 133*4882a593Smuzhiyun if (grub_jpeg_get_byte (data) != 8) 134*4882a593Smuzhiyun return grub_error (GRUB_ERR_BAD_FILE_TYPE, 135*4882a593Smuzhiyun "jpeg: only 8-bit precision is supported"); 136*4882a593Smuzhiyun@@ -325,6 +360,8 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data) 137*4882a593Smuzhiyun return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid index"); 138*4882a593Smuzhiyun 139*4882a593Smuzhiyun ss = grub_jpeg_get_byte (data); /* Sampling factor. */ 140*4882a593Smuzhiyun+ if (grub_errno != GRUB_ERR_NONE) 141*4882a593Smuzhiyun+ return grub_errno; 142*4882a593Smuzhiyun if (!id) 143*4882a593Smuzhiyun { 144*4882a593Smuzhiyun grub_uint8_t vs, hs; 145*4882a593Smuzhiyun@@ -504,7 +541,7 @@ grub_jpeg_idct_transform (jpeg_data_unit_t du) 146*4882a593Smuzhiyun } 147*4882a593Smuzhiyun } 148*4882a593Smuzhiyun 149*4882a593Smuzhiyun-static void 150*4882a593Smuzhiyun+static grub_err_t 151*4882a593Smuzhiyun grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du) 152*4882a593Smuzhiyun { 153*4882a593Smuzhiyun int h1, h2, qt; 154*4882a593Smuzhiyun@@ -519,6 +556,9 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du) 155*4882a593Smuzhiyun data->dc_value[id] += 156*4882a593Smuzhiyun grub_jpeg_get_number (data, grub_jpeg_get_huff_code (data, h1)); 157*4882a593Smuzhiyun 158*4882a593Smuzhiyun+ if (grub_errno != GRUB_ERR_NONE) 159*4882a593Smuzhiyun+ return grub_errno; 160*4882a593Smuzhiyun+ 161*4882a593Smuzhiyun du[0] = data->dc_value[id] * (int) data->quan_table[qt][0]; 162*4882a593Smuzhiyun pos = 1; 163*4882a593Smuzhiyun while (pos < ARRAY_SIZE (data->quan_table[qt])) 164*4882a593Smuzhiyun@@ -533,11 +573,13 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du) 165*4882a593Smuzhiyun num >>= 4; 166*4882a593Smuzhiyun pos += num; 167*4882a593Smuzhiyun 168*4882a593Smuzhiyun+ if (grub_errno != GRUB_ERR_NONE) 169*4882a593Smuzhiyun+ return grub_errno; 170*4882a593Smuzhiyun+ 171*4882a593Smuzhiyun if (pos >= ARRAY_SIZE (jpeg_zigzag_order)) 172*4882a593Smuzhiyun { 173*4882a593Smuzhiyun- grub_error (GRUB_ERR_BAD_FILE_TYPE, 174*4882a593Smuzhiyun- "jpeg: invalid position in zigzag order!?"); 175*4882a593Smuzhiyun- return; 176*4882a593Smuzhiyun+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, 177*4882a593Smuzhiyun+ "jpeg: invalid position in zigzag order!?"); 178*4882a593Smuzhiyun } 179*4882a593Smuzhiyun 180*4882a593Smuzhiyun du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos]; 181*4882a593Smuzhiyun@@ -545,6 +587,7 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du) 182*4882a593Smuzhiyun } 183*4882a593Smuzhiyun 184*4882a593Smuzhiyun grub_jpeg_idct_transform (du); 185*4882a593Smuzhiyun+ return GRUB_ERR_NONE; 186*4882a593Smuzhiyun } 187*4882a593Smuzhiyun 188*4882a593Smuzhiyun static void 189*4882a593Smuzhiyun@@ -603,7 +646,8 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data) 190*4882a593Smuzhiyun data_offset += grub_jpeg_get_word (data); 191*4882a593Smuzhiyun 192*4882a593Smuzhiyun cc = grub_jpeg_get_byte (data); 193*4882a593Smuzhiyun- 194*4882a593Smuzhiyun+ if (grub_errno != GRUB_ERR_NONE) 195*4882a593Smuzhiyun+ return grub_errno; 196*4882a593Smuzhiyun if (cc != 3 && cc != 1) 197*4882a593Smuzhiyun return grub_error (GRUB_ERR_BAD_FILE_TYPE, 198*4882a593Smuzhiyun "jpeg: component count must be 1 or 3"); 199*4882a593Smuzhiyun@@ -616,7 +660,8 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data) 200*4882a593Smuzhiyun id = grub_jpeg_get_byte (data) - 1; 201*4882a593Smuzhiyun if ((id < 0) || (id >= 3)) 202*4882a593Smuzhiyun return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid index"); 203*4882a593Smuzhiyun- 204*4882a593Smuzhiyun+ if (grub_errno != GRUB_ERR_NONE) 205*4882a593Smuzhiyun+ return grub_errno; 206*4882a593Smuzhiyun ht = grub_jpeg_get_byte (data); 207*4882a593Smuzhiyun data->comp_index[id][1] = (ht >> 4); 208*4882a593Smuzhiyun data->comp_index[id][2] = (ht & 0xF) + 2; 209*4882a593Smuzhiyun@@ -624,11 +669,14 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data) 210*4882a593Smuzhiyun if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) || 211*4882a593Smuzhiyun (data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3)) 212*4882a593Smuzhiyun return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index"); 213*4882a593Smuzhiyun+ if (grub_errno != GRUB_ERR_NONE) 214*4882a593Smuzhiyun+ return grub_errno; 215*4882a593Smuzhiyun } 216*4882a593Smuzhiyun 217*4882a593Smuzhiyun grub_jpeg_get_byte (data); /* Skip 3 unused bytes. */ 218*4882a593Smuzhiyun grub_jpeg_get_word (data); 219*4882a593Smuzhiyun- 220*4882a593Smuzhiyun+ if (grub_errno != GRUB_ERR_NONE) 221*4882a593Smuzhiyun+ return grub_errno; 222*4882a593Smuzhiyun if (data->file->offset != data_offset) 223*4882a593Smuzhiyun return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: extra byte in sos"); 224*4882a593Smuzhiyun 225*4882a593Smuzhiyun@@ -646,6 +694,7 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data) 226*4882a593Smuzhiyun { 227*4882a593Smuzhiyun unsigned c1, vb, hb, nr1, nc1; 228*4882a593Smuzhiyun int rst = data->dri; 229*4882a593Smuzhiyun+ grub_err_t err = GRUB_ERR_NONE; 230*4882a593Smuzhiyun 231*4882a593Smuzhiyun vb = 8 << data->log_vs; 232*4882a593Smuzhiyun hb = 8 << data->log_hs; 233*4882a593Smuzhiyun@@ -666,17 +715,22 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data) 234*4882a593Smuzhiyun 235*4882a593Smuzhiyun for (r2 = 0; r2 < (1U << data->log_vs); r2++) 236*4882a593Smuzhiyun for (c2 = 0; c2 < (1U << data->log_hs); c2++) 237*4882a593Smuzhiyun- grub_jpeg_decode_du (data, 0, data->ydu[r2 * 2 + c2]); 238*4882a593Smuzhiyun+ { 239*4882a593Smuzhiyun+ err = grub_jpeg_decode_du (data, 0, data->ydu[r2 * 2 + c2]); 240*4882a593Smuzhiyun+ if (err != GRUB_ERR_NONE) 241*4882a593Smuzhiyun+ return err; 242*4882a593Smuzhiyun+ } 243*4882a593Smuzhiyun 244*4882a593Smuzhiyun if (data->color_components >= 3) 245*4882a593Smuzhiyun { 246*4882a593Smuzhiyun- grub_jpeg_decode_du (data, 1, data->cbdu); 247*4882a593Smuzhiyun- grub_jpeg_decode_du (data, 2, data->crdu); 248*4882a593Smuzhiyun+ err = grub_jpeg_decode_du (data, 1, data->cbdu); 249*4882a593Smuzhiyun+ if (err != GRUB_ERR_NONE) 250*4882a593Smuzhiyun+ return err; 251*4882a593Smuzhiyun+ err = grub_jpeg_decode_du (data, 2, data->crdu); 252*4882a593Smuzhiyun+ if (err != GRUB_ERR_NONE) 253*4882a593Smuzhiyun+ return err; 254*4882a593Smuzhiyun } 255*4882a593Smuzhiyun 256*4882a593Smuzhiyun- if (grub_errno) 257*4882a593Smuzhiyun- return grub_errno; 258*4882a593Smuzhiyun- 259*4882a593Smuzhiyun nr2 = (data->r1 == nr1 - 1) ? (data->image_height - data->r1 * vb) : vb; 260*4882a593Smuzhiyun nc2 = (c1 == nc1 - 1) ? (data->image_width - c1 * hb) : hb; 261*4882a593Smuzhiyun 262*4882a593Smuzhiyun-- 263*4882a593Smuzhiyun2.34.1 264*4882a593Smuzhiyun 265