summaryrefslogtreecommitdiffstats
path: root/debian/patches/cve_2022_2601/0001-video-readers-Add-artificial-limit-to-image-dimensio.patch
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 10:54:18 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 10:54:18 +0000
commit8e67fbf68ffeb9eb5f026dd482d73b021660bf9b (patch)
treebb573facd5d02096f9956b2617a722b88acaa8af /debian/patches/cve_2022_2601/0001-video-readers-Add-artificial-limit-to-image-dimensio.patch
parentAdding upstream version 2.06. (diff)
downloadgrub2-8e67fbf68ffeb9eb5f026dd482d73b021660bf9b.tar.xz
grub2-8e67fbf68ffeb9eb5f026dd482d73b021660bf9b.zip
Adding debian version 2.06-3~deb11u6.debian/2.06-3_deb11u6debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/cve_2022_2601/0001-video-readers-Add-artificial-limit-to-image-dimensio.patch')
-rw-r--r--debian/patches/cve_2022_2601/0001-video-readers-Add-artificial-limit-to-image-dimensio.patch109
1 files changed, 109 insertions, 0 deletions
diff --git a/debian/patches/cve_2022_2601/0001-video-readers-Add-artificial-limit-to-image-dimensio.patch b/debian/patches/cve_2022_2601/0001-video-readers-Add-artificial-limit-to-image-dimensio.patch
new file mode 100644
index 0000000..99c2f5a
--- /dev/null
+++ b/debian/patches/cve_2022_2601/0001-video-readers-Add-artificial-limit-to-image-dimensio.patch
@@ -0,0 +1,109 @@
+From a85714545fe57a86d14ee231a4cd312158101d43 Mon Sep 17 00:00:00 2001
+From: Alec Brown <alec.r.brown@oracle.com>
+Date: Wed, 26 Oct 2022 20:16:44 -0400
+Subject: [PATCH 01/14] video/readers: Add artificial limit to image dimensions
+
+In grub-core/video/readers/jpeg.c, the height and width of a JPEG image don't
+have an upper limit for how big the JPEG image can be. In Coverity, this is
+getting flagged as an untrusted loop bound. This issue can also seen in PNG and
+TGA format images as well but Coverity isn't flagging it. To prevent this, the
+constant IMAGE_HW_MAX_PX is being added to include/grub/bitmap.h, which has
+a value of 16384, to act as an artificial limit and restrict the height and
+width of images. This value was picked as it is double the current max
+resolution size, which is 8K.
+
+Fixes: CID 292450
+
+Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ docs/grub.texi | 3 ++-
+ grub-core/video/readers/jpeg.c | 6 +++++-
+ grub-core/video/readers/png.c | 6 +++++-
+ grub-core/video/readers/tga.c | 7 +++++++
+ include/grub/bitmap.h | 2 ++
+ 5 files changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index 0dbbdc374..2d6cd8358 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -1515,7 +1515,8 @@ resolution. @xref{gfxmode}.
+ Set a background image for use with the @samp{gfxterm} graphical terminal.
+ The value of this option must be a file readable by GRUB at boot time, and
+ it must end with @file{.png}, @file{.tga}, @file{.jpg}, or @file{.jpeg}.
+-The image will be scaled if necessary to fit the screen.
++The image will be scaled if necessary to fit the screen. Image height and
++width will be restricted by an artificial limit of 16384.
+
+ @item GRUB_THEME
+ Set a theme for use with the @samp{gfxterm} graphical terminal.
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index 09596fbf5..ae634fd41 100644
+--- a/grub-core/video/readers/jpeg.c
++++ b/grub-core/video/readers/jpeg.c
+@@ -346,7 +346,11 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
+ data->image_height = grub_jpeg_get_word (data);
+ data->image_width = grub_jpeg_get_word (data);
+
+- if ((!data->image_height) || (!data->image_width))
++ grub_dprintf ("jpeg", "image height: %d\n", data->image_height);
++ grub_dprintf ("jpeg", "image width: %d\n", data->image_width);
++
++ if ((!data->image_height) || (!data->image_width) ||
++ (data->image_height > IMAGE_HW_MAX_PX) || (data->image_width > IMAGE_HW_MAX_PX))
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid image size");
+
+ cc = grub_jpeg_get_byte (data);
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index 7f2ba7849..3163e97bf 100644
+--- a/grub-core/video/readers/png.c
++++ b/grub-core/video/readers/png.c
+@@ -264,7 +264,11 @@ grub_png_decode_image_header (struct grub_png_data *data)
+ data->image_width = grub_png_get_dword (data);
+ data->image_height = grub_png_get_dword (data);
+
+- if ((!data->image_height) || (!data->image_width))
++ grub_dprintf ("png", "image height: %d\n", data->image_height);
++ grub_dprintf ("png", "image width: %d\n", data->image_width);
++
++ if ((!data->image_height) || (!data->image_width) ||
++ (data->image_height > IMAGE_HW_MAX_PX) || (data->image_width > IMAGE_HW_MAX_PX))
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "png: invalid image size");
+
+ color_bits = grub_png_get_byte (data);
+diff --git a/grub-core/video/readers/tga.c b/grub-core/video/readers/tga.c
+index a9ec3a1b6..9c35bf29d 100644
+--- a/grub-core/video/readers/tga.c
++++ b/grub-core/video/readers/tga.c
+@@ -340,6 +340,13 @@ grub_video_reader_tga (struct grub_video_bitmap **bitmap,
+ data.image_width = grub_le_to_cpu16 (data.hdr.image_width);
+ data.image_height = grub_le_to_cpu16 (data.hdr.image_height);
+
++ grub_dprintf ("tga", "image height: %d\n", data.image_height);
++ grub_dprintf ("tga", "image width: %d\n", data.image_width);
++
++ /* Check image height and width are within restrictions. */
++ if ((data.image_height > IMAGE_HW_MAX_PX) || (data.image_width > IMAGE_HW_MAX_PX))
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "tga: invalid image size");
++
+ /* Check that bitmap encoding is supported. */
+ switch (data.hdr.image_type)
+ {
+diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h
+index 5728f8ca3..149d37bfe 100644
+--- a/include/grub/bitmap.h
++++ b/include/grub/bitmap.h
+@@ -24,6 +24,8 @@
+ #include <grub/types.h>
+ #include <grub/video.h>
+
++#define IMAGE_HW_MAX_PX 16384
++
+ struct grub_video_bitmap
+ {
+ /* Bitmap format description. */
+--
+2.30.2
+