grub/files/video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch

From d5caac8ab79d068ad9a41030c772d03a4d4fbd7b Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Mon, 28 Jun 2021 14:16:14 +1000
Subject: [PATCH] video/readers/jpeg: Abort sooner if a read operation fails

Fuzzing revealed some inputs that were taking a long time, potentially
forever, because they did not bail quickly upon encountering an I/O error.

Try to catch I/O errors sooner and bail out.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

Upstream-Status: Backport

Reference to upstream patch:
https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d5caac8ab79d068ad9a41030c772d03a4d4fbd7b

Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
---
 grub-core/video/readers/jpeg.c | 86 +++++++++++++++++++++++++++-------
 1 file changed, 70 insertions(+), 16 deletions(-)

diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
index c47ffd651..806c56c78 100644
--- a/grub-core/video/readers/jpeg.c
+++ b/grub-core/video/readers/jpeg.c
@@ -109,9 +109,17 @@ static grub_uint8_t
 grub_jpeg_get_byte (struct grub_jpeg_data *data)
 {
   grub_uint8_t r;
+  grub_ssize_t bytes_read;

   r = 0;
-  grub_file_read (data->file, &r, 1);
+  bytes_read = grub_file_read (data->file, &r, 1);
+
+  if (bytes_read != 1)
+    {
+      grub_error (GRUB_ERR_BAD_FILE_TYPE,
+		  "jpeg: unexpected end of data");
+      return 0;
+    }

   return r;
 }
@@ -120,9 +128,17 @@ static grub_uint16_t
 grub_jpeg_get_word (struct grub_jpeg_data *data)
 {
   grub_uint16_t r;
+  grub_ssize_t bytes_read;

   r = 0;
-  grub_file_read (data->file, &r, sizeof (grub_uint16_t));
+  bytes_read = grub_file_read (data->file, &r, sizeof (grub_uint16_t));
+
+  if (bytes_read != sizeof (grub_uint16_t))
+    {
+      grub_error (GRUB_ERR_BAD_FILE_TYPE,
+		  "jpeg: unexpected end of data");
+      return 0;
+    }

   return grub_be_to_cpu16 (r);
 }
@@ -135,6 +151,11 @@ grub_jpeg_get_bit (struct grub_jpeg_data *data)
   if (data->bit_mask == 0)
     {
       data->bit_save = grub_jpeg_get_byte (data);
+      if (grub_errno != GRUB_ERR_NONE) {
+	grub_error (GRUB_ERR_BAD_FILE_TYPE,
+		    "jpeg: file read error");
+	return 0;
+      }
       if (data->bit_save == JPEG_ESC_CHAR)
 	{
 	  if (grub_jpeg_get_byte (data) != 0)
@@ -143,6 +164,11 @@ grub_jpeg_get_bit (struct grub_jpeg_data *data)
 			  "jpeg: invalid 0xFF in data stream");
 	      return 0;
 	    }
+	  if (grub_errno != GRUB_ERR_NONE)
+	    {
+	      grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: file read error");
+	      return 0;
+	    }
 	}
       data->bit_mask = 0x80;
     }
@@ -161,7 +187,7 @@ grub_jpeg_get_number (struct grub_jpeg_data *data, int num)
     return 0;

   msb = value = grub_jpeg_get_bit (data);
-  for (i = 1; i < num; i++)
+  for (i = 1; i < num && grub_errno == GRUB_ERR_NONE; i++)
     value = (value << 1) + (grub_jpeg_get_bit (data) != 0);
   if (!msb)
     value += 1 - (1 << num);
@@ -208,6 +234,8 @@ grub_jpeg_decode_huff_table (struct grub_jpeg_data *data)
   while (data->file->offset + sizeof (count) + 1 <= next_marker)
     {
       id = grub_jpeg_get_byte (data);
+      if (grub_errno != GRUB_ERR_NONE)
+	return grub_errno;
       ac = (id >> 4) & 1;
       id &= 0xF;
       if (id > 1)
@@ -258,6 +286,8 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data)

   next_marker = data->file->offset;
   next_marker += grub_jpeg_get_word (data);
+  if (grub_errno != GRUB_ERR_NONE)
+    return grub_errno;

   if (next_marker > data->file->size)
     {
@@ -269,6 +299,8 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data)
 	 <= next_marker)
     {
       id = grub_jpeg_get_byte (data);
+      if (grub_errno != GRUB_ERR_NONE)
+        return grub_errno;
       if (id >= 0x10)		/* Upper 4-bit is precision.  */
 	return grub_error (GRUB_ERR_BAD_FILE_TYPE,
 			   "jpeg: only 8-bit precision is supported");
@@ -300,6 +332,9 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
   next_marker = data->file->offset;
   next_marker += grub_jpeg_get_word (data);

+  if (grub_errno != GRUB_ERR_NONE)
+    return grub_errno;
+
   if (grub_jpeg_get_byte (data) != 8)
     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
 		       "jpeg: only 8-bit precision is supported");
@@ -325,6 +360,8 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
 	return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid index");

       ss = grub_jpeg_get_byte (data);	/* Sampling factor.  */
+      if (grub_errno != GRUB_ERR_NONE)
+	return grub_errno;
       if (!id)
 	{
 	  grub_uint8_t vs, hs;
@@ -504,7 +541,7 @@ grub_jpeg_idct_transform (jpeg_data_unit_t du)
     }
 }

-static void
+static grub_err_t
 grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
 {
   int h1, h2, qt;
@@ -519,6 +556,9 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
   data->dc_value[id] +=
     grub_jpeg_get_number (data, grub_jpeg_get_huff_code (data, h1));

+  if (grub_errno != GRUB_ERR_NONE)
+    return grub_errno;
+
   du[0] = data->dc_value[id] * (int) data->quan_table[qt][0];
   pos = 1;
   while (pos < ARRAY_SIZE (data->quan_table[qt]))
@@ -533,11 +573,13 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
       num >>= 4;
       pos += num;

+      if (grub_errno != GRUB_ERR_NONE)
+        return grub_errno;
+
       if (pos >= ARRAY_SIZE (jpeg_zigzag_order))
 	{
-	  grub_error (GRUB_ERR_BAD_FILE_TYPE,
-		      "jpeg: invalid position in zigzag order!?");
-	  return;
+	  return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+			     "jpeg: invalid position in zigzag order!?");
 	}

       du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];
@@ -545,6 +587,7 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
     }

   grub_jpeg_idct_transform (du);
+  return GRUB_ERR_NONE;
 }

 static void
@@ -603,7 +646,8 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
   data_offset += grub_jpeg_get_word (data);

   cc = grub_jpeg_get_byte (data);
-
+  if (grub_errno != GRUB_ERR_NONE)
+    return grub_errno;
   if (cc != 3 && cc != 1)
     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
 		       "jpeg: component count must be 1 or 3");
@@ -616,7 +660,8 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
       id = grub_jpeg_get_byte (data) - 1;
       if ((id < 0) || (id >= 3))
 	return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid index");
-
+      if (grub_errno != GRUB_ERR_NONE)
+	return grub_errno;
       ht = grub_jpeg_get_byte (data);
       data->comp_index[id][1] = (ht >> 4);
       data->comp_index[id][2] = (ht & 0xF) + 2;
@@ -624,11 +669,14 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
       if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) ||
 	  (data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3))
 	return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index");
+      if (grub_errno != GRUB_ERR_NONE)
+	return grub_errno;
     }

   grub_jpeg_get_byte (data);	/* Skip 3 unused bytes.  */
   grub_jpeg_get_word (data);
-
+  if (grub_errno != GRUB_ERR_NONE)
+    return grub_errno;
   if (data->file->offset != data_offset)
     return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: extra byte in sos");

@@ -646,6 +694,7 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
 {
   unsigned c1, vb, hb, nr1, nc1;
   int rst = data->dri;
+  grub_err_t err = GRUB_ERR_NONE;

   vb = 8 << data->log_vs;
   hb = 8 << data->log_hs;
@@ -666,17 +715,22 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)

 	for (r2 = 0; r2 < (1U << data->log_vs); r2++)
 	  for (c2 = 0; c2 < (1U << data->log_hs); c2++)
-	    grub_jpeg_decode_du (data, 0, data->ydu[r2 * 2 + c2]);
+            {
+              err = grub_jpeg_decode_du (data, 0, data->ydu[r2 * 2 + c2]);
+              if (err != GRUB_ERR_NONE)
+                return err;
+            }

 	if (data->color_components >= 3)
 	  {
-	    grub_jpeg_decode_du (data, 1, data->cbdu);
-	    grub_jpeg_decode_du (data, 2, data->crdu);
+	    err = grub_jpeg_decode_du (data, 1, data->cbdu);
+	    if (err != GRUB_ERR_NONE)
+	      return err;
+	    err = grub_jpeg_decode_du (data, 2, data->crdu);
+	    if (err != GRUB_ERR_NONE)
+	      return err;
 	  }

-	if (grub_errno)
-	  return grub_errno;
-
 	nr2 = (data->r1 == nr1 - 1) ? (data->image_height - data->r1 * vb) : vb;
 	nc2 = (c1 == nc1 - 1) ? (data->image_width - c1 * hb) : hb;

--
2.34.1