[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 048/117] video/fb/fbfill: Fix potential integer overflow
From: |
Daniel Kiper |
Subject: |
[SECURITY PATCH 048/117] video/fb/fbfill: Fix potential integer overflow |
Date: |
Tue, 2 Mar 2021 19:00:55 +0100 |
From: Darren Kenny <darren.kenny@oracle.com>
The multiplication of 2 unsigned 32-bit integers may overflow before
promotion to unsigned 64-bit. We should ensure that the multiplication
is done with overflow detection. Additionally, use grub_sub() for
subtraction.
Fixes: CID 73640, CID 73697, CID 73702, CID 73823
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/video/fb/fbfill.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/grub-core/video/fb/fbfill.c b/grub-core/video/fb/fbfill.c
index 11816d07a..a37acd1e2 100644
--- a/grub-core/video/fb/fbfill.c
+++ b/grub-core/video/fb/fbfill.c
@@ -31,6 +31,7 @@
#include <grub/fbfill.h>
#include <grub/fbutil.h>
#include <grub/types.h>
+#include <grub/safemath.h>
#include <grub/video.h>
/* Generic filler that works for every supported mode. */
@@ -61,7 +62,9 @@ grub_video_fbfill_direct32 (struct grub_video_fbblit_info
*dst,
/* Calculate the number of bytes to advance from the end of one line
to the beginning of the next line. */
- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
+ return;
/* Get the start address. */
dstptr = grub_video_fb_get_video_ptr (dst, x, y);
@@ -98,7 +101,9 @@ grub_video_fbfill_direct24 (struct grub_video_fbblit_info
*dst,
#endif
/* Calculate the number of bytes to advance from the end of one line
to the beginning of the next line. */
- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
+ return;
/* Get the start address. */
dstptr = grub_video_fb_get_video_ptr (dst, x, y);
@@ -131,7 +136,9 @@ grub_video_fbfill_direct16 (struct grub_video_fbblit_info
*dst,
/* Calculate the number of bytes to advance from the end of one line
to the beginning of the next line. */
- rowskip = (dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width);
+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
+ return;
/* Get the start address. */
dstptr = grub_video_fb_get_video_ptr (dst, x, y);
@@ -161,7 +168,9 @@ grub_video_fbfill_direct8 (struct grub_video_fbblit_info
*dst,
/* Calculate the number of bytes to advance from the end of one line
to the beginning of the next line. */
- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
+ return;
/* Get the start address. */
dstptr = grub_video_fb_get_video_ptr (dst, x, y);
--
2.11.0
- [SECURITY PATCH 038/117] zfs: Fix possible integer overflows, (continued)
- [SECURITY PATCH 038/117] zfs: Fix possible integer overflows, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 037/117] zfs: Fix resource leaks while constructing path, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 041/117] libgcrypt/mpi: Fix possible unintended sign extension, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 044/117] normal/completion: Fix leaking of memory when processing a completion, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 043/117] syslinux: Fix memory leak while parsing, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 045/117] commands/hashsum: Fix a memory leak, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 042/117] libgcrypt/mpi: Fix possible NULL dereference, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 046/117] commands/probe: Fix a resource leak when probing disks, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 047/117] video/efi_gop: Remove unnecessary return value of grub_video_gop_fill_mode_info(), Daniel Kiper, 2021/03/02
- [SECURITY PATCH 050/117] video/fb/video_fb: Fix possible integer overflow, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 048/117] video/fb/fbfill: Fix potential integer overflow,
Daniel Kiper <=
- [SECURITY PATCH 051/117] video/readers/jpeg: Test for an invalid next marker reference from a jpeg file, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 049/117] video/fb/video_fb: Fix multiple integer overflows, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 053/117] loader/bsd: Check for NULL arg up-front, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 052/117] gfxmenu/gui_list: Remove code that coverity is flagging as dead, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 054/117] loader/xnu: Fix memory leak, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 055/117] loader/xnu: Free driverkey data when an error is detected in grub_xnu_writetree_toheap(), Daniel Kiper, 2021/03/02
- [SECURITY PATCH 056/117] loader/xnu: Check if pointer is NULL before using it, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 057/117] util/grub-install: Fix NULL pointer dereferences, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 058/117] util/grub-editenv: Fix incorrect casting of a signed value, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 059/117] util/glue-efi: Fix incorrect use of a possibly negative value, Daniel Kiper, 2021/03/02