grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SECURITY PATCH 048/117] video/fb/fbfill: Fix potential integer overflow


From: Daniel Kiper
Subject: [SECURITY PATCH 048/117] video/fb/fbfill: Fix potential integer overflow
Date: Tue, 2 Mar 2021 19:00:55 +0100

From: Darren Kenny <darren.kenny@oracle.com>

The multiplication of 2 unsigned 32-bit integers may overflow before
promotion to unsigned 64-bit. We should ensure that the multiplication
is done with overflow detection. Additionally, use grub_sub() for
subtraction.

Fixes: CID 73640, CID 73697, CID 73702, CID 73823

Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/video/fb/fbfill.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/grub-core/video/fb/fbfill.c b/grub-core/video/fb/fbfill.c
index 11816d07a..a37acd1e2 100644
--- a/grub-core/video/fb/fbfill.c
+++ b/grub-core/video/fb/fbfill.c
@@ -31,6 +31,7 @@
 #include <grub/fbfill.h>
 #include <grub/fbutil.h>
 #include <grub/types.h>
+#include <grub/safemath.h>
 #include <grub/video.h>
 
 /* Generic filler that works for every supported mode.  */
@@ -61,7 +62,9 @@ grub_video_fbfill_direct32 (struct grub_video_fbblit_info 
*dst,
 
   /* Calculate the number of bytes to advance from the end of one line
      to the beginning of the next line.  */
-  rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
+  if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
+      grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
+    return;
 
   /* Get the start address.  */
   dstptr = grub_video_fb_get_video_ptr (dst, x, y);
@@ -98,7 +101,9 @@ grub_video_fbfill_direct24 (struct grub_video_fbblit_info 
*dst,
 #endif
   /* Calculate the number of bytes to advance from the end of one line
      to the beginning of the next line.  */
-  rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
+  if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
+      grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
+    return;
 
   /* Get the start address.  */
   dstptr = grub_video_fb_get_video_ptr (dst, x, y);
@@ -131,7 +136,9 @@ grub_video_fbfill_direct16 (struct grub_video_fbblit_info 
*dst,
 
   /* Calculate the number of bytes to advance from the end of one line
      to the beginning of the next line.  */
-  rowskip = (dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width);
+  if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
+      grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
+    return;
 
   /* Get the start address.  */
   dstptr = grub_video_fb_get_video_ptr (dst, x, y);
@@ -161,7 +168,9 @@ grub_video_fbfill_direct8 (struct grub_video_fbblit_info 
*dst,
 
   /* Calculate the number of bytes to advance from the end of one line
      to the beginning of the next line.  */
-  rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
+  if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
+      grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
+    return;
 
   /* Get the start address.  */
   dstptr = grub_video_fb_get_video_ptr (dst, x, y);
-- 
2.11.0




reply via email to

[Prev in Thread] Current Thread [Next in Thread]