1*4882a593SmuzhiyunFrom 166a4d61448f74745afe1dac2f2cfb85d04909bf Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Daniel Axtens <dja@axtens.net> 3*4882a593SmuzhiyunDate: Mon, 28 Jun 2021 14:25:17 +1000 4*4882a593SmuzhiyunSubject: [PATCH] video/readers/jpeg: Refuse to handle multiple start of 5*4882a593Smuzhiyun streams 6*4882a593Smuzhiyun 7*4882a593SmuzhiyunAn invalid file could contain multiple start of stream blocks, which 8*4882a593Smuzhiyunwould cause us to reallocate and leak our bitmap. Refuse to handle 9*4882a593Smuzhiyunmultiple start of streams. 10*4882a593Smuzhiyun 11*4882a593SmuzhiyunAdditionally, fix a grub_error() call formatting. 12*4882a593Smuzhiyun 13*4882a593SmuzhiyunSigned-off-by: Daniel Axtens <dja@axtens.net> 14*4882a593SmuzhiyunReviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 15*4882a593Smuzhiyun 16*4882a593SmuzhiyunUpstream-Status: Backport 17*4882a593Smuzhiyun 18*4882a593SmuzhiyunReference to upstream patch: 19*4882a593Smuzhiyunhttps://git.savannah.gnu.org/cgit/grub.git/commit/?id=166a4d61448f74745afe1dac2f2cfb85d04909bf 20*4882a593Smuzhiyun 21*4882a593SmuzhiyunSigned-off-by: Yongxin Liu <yongxin.liu@windriver.com> 22*4882a593Smuzhiyun--- 23*4882a593Smuzhiyun grub-core/video/readers/jpeg.c | 7 +++++-- 24*4882a593Smuzhiyun 1 file changed, 5 insertions(+), 2 deletions(-) 25*4882a593Smuzhiyun 26*4882a593Smuzhiyundiff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c 27*4882a593Smuzhiyunindex 2284a6c06..579bbe8a4 100644 28*4882a593Smuzhiyun--- a/grub-core/video/readers/jpeg.c 29*4882a593Smuzhiyun+++ b/grub-core/video/readers/jpeg.c 30*4882a593Smuzhiyun@@ -683,6 +683,9 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data) 31*4882a593Smuzhiyun if (data->file->offset != data_offset) 32*4882a593Smuzhiyun return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: extra byte in sos"); 33*4882a593Smuzhiyun 34*4882a593Smuzhiyun+ if (*data->bitmap) 35*4882a593Smuzhiyun+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: too many start of scan blocks"); 36*4882a593Smuzhiyun+ 37*4882a593Smuzhiyun if (grub_video_bitmap_create (data->bitmap, data->image_width, 38*4882a593Smuzhiyun data->image_height, 39*4882a593Smuzhiyun GRUB_VIDEO_BLIT_FORMAT_RGB_888)) 40*4882a593Smuzhiyun@@ -705,8 +708,8 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data) 41*4882a593Smuzhiyun nc1 = (data->image_width + hb - 1) >> (3 + data->log_hs); 42*4882a593Smuzhiyun 43*4882a593Smuzhiyun if (data->bitmap_ptr == NULL) 44*4882a593Smuzhiyun- return grub_error(GRUB_ERR_BAD_FILE_TYPE, 45*4882a593Smuzhiyun- "jpeg: attempted to decode data before start of stream"); 46*4882a593Smuzhiyun+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, 47*4882a593Smuzhiyun+ "jpeg: attempted to decode data before start of stream"); 48*4882a593Smuzhiyun 49*4882a593Smuzhiyun for (; data->r1 < nr1 && (!data->dri || rst); 50*4882a593Smuzhiyun data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) 51*4882a593Smuzhiyun-- 52*4882a593Smuzhiyun2.34.1 53*4882a593Smuzhiyun 54