[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 049/117] video/fb/video_fb: Fix multiple integer overflo
From: |
Daniel Kiper |
Subject: |
[SECURITY PATCH 049/117] video/fb/video_fb: Fix multiple integer overflows |
Date: |
Tue, 2 Mar 2021 19:00:56 +0100 |
From: Darren Kenny <darren.kenny@oracle.com>
The calculation of the unsigned 64-bit value is being generated by
multiplying 2, signed or unsigned, 32-bit integers which may overflow
before promotion to unsigned 64-bit. Fix all of them.
Fixes: CID 73703, CID 73767, CID 73833
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/video/fb/video_fb.c | 52 ++++++++++++++++++++++++++++++-------------
1 file changed, 36 insertions(+), 16 deletions(-)
diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c
index 1a602c8b2..1c9a138dc 100644
--- a/grub-core/video/fb/video_fb.c
+++ b/grub-core/video/fb/video_fb.c
@@ -25,6 +25,7 @@
#include <grub/fbutil.h>
#include <grub/bitmap.h>
#include <grub/dl.h>
+#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -1417,15 +1418,23 @@ doublebuf_blit_update_screen (void)
{
if (framebuffer.current_dirty.first_line
<= framebuffer.current_dirty.last_line)
- grub_memcpy ((char *) framebuffer.pages[0]
- + framebuffer.current_dirty.first_line
- * framebuffer.back_target->mode_info.pitch,
- (char *) framebuffer.back_target->data
- + framebuffer.current_dirty.first_line
- * framebuffer.back_target->mode_info.pitch,
- framebuffer.back_target->mode_info.pitch
- * (framebuffer.current_dirty.last_line
- - framebuffer.current_dirty.first_line));
+ {
+ grub_size_t copy_size;
+
+ if (grub_sub (framebuffer.current_dirty.last_line,
+ framebuffer.current_dirty.first_line, ©_size) ||
+ grub_mul (framebuffer.back_target->mode_info.pitch, copy_size,
©_size))
+ {
+ /* Shouldn't happen, but if it does we've a bug. */
+ return GRUB_ERR_BUG;
+ }
+
+ grub_memcpy ((char *) framebuffer.pages[0] +
framebuffer.current_dirty.first_line *
+ framebuffer.back_target->mode_info.pitch,
+ (char *) framebuffer.back_target->data +
framebuffer.current_dirty.first_line *
+ framebuffer.back_target->mode_info.pitch,
+ copy_size);
+ }
framebuffer.current_dirty.first_line
= framebuffer.back_target->mode_info.height;
framebuffer.current_dirty.last_line = 0;
@@ -1439,7 +1448,7 @@ grub_video_fb_doublebuf_blit_init (struct
grub_video_fbrender_target **back,
volatile void *framebuf)
{
grub_err_t err;
- grub_size_t page_size = mode_info.pitch * mode_info.height;
+ grub_size_t page_size = (grub_size_t) mode_info.pitch * mode_info.height;
framebuffer.offscreen_buffer = grub_zalloc (page_size);
if (! framebuffer.offscreen_buffer)
@@ -1482,12 +1491,23 @@ doublebuf_pageflipping_update_screen (void)
last_line = framebuffer.previous_dirty.last_line;
if (first_line <= last_line)
- grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page]
- + first_line * framebuffer.back_target->mode_info.pitch,
- (char *) framebuffer.back_target->data
- + first_line * framebuffer.back_target->mode_info.pitch,
- framebuffer.back_target->mode_info.pitch
- * (last_line - first_line));
+ {
+ grub_size_t copy_size;
+
+ if (grub_sub (last_line, first_line, ©_size) ||
+ grub_mul (framebuffer.back_target->mode_info.pitch, copy_size,
©_size))
+ {
+ /* Shouldn't happen, but if it does we've a bug. */
+ return GRUB_ERR_BUG;
+ }
+
+ grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page] +
first_line *
+ framebuffer.back_target->mode_info.pitch,
+ (char *) framebuffer.back_target->data + first_line *
+ framebuffer.back_target->mode_info.pitch,
+ copy_size);
+ }
+
framebuffer.previous_dirty = framebuffer.current_dirty;
framebuffer.current_dirty.first_line
= framebuffer.back_target->mode_info.height;
--
2.11.0
- [SECURITY PATCH 041/117] libgcrypt/mpi: Fix possible unintended sign extension, (continued)
- [SECURITY PATCH 041/117] libgcrypt/mpi: Fix possible unintended sign extension, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 044/117] normal/completion: Fix leaking of memory when processing a completion, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 043/117] syslinux: Fix memory leak while parsing, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 045/117] commands/hashsum: Fix a memory leak, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 042/117] libgcrypt/mpi: Fix possible NULL dereference, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 046/117] commands/probe: Fix a resource leak when probing disks, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 047/117] video/efi_gop: Remove unnecessary return value of grub_video_gop_fill_mode_info(), Daniel Kiper, 2021/03/02
- [SECURITY PATCH 050/117] video/fb/video_fb: Fix possible integer overflow, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 048/117] video/fb/fbfill: Fix potential integer overflow, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 051/117] video/readers/jpeg: Test for an invalid next marker reference from a jpeg file, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 049/117] video/fb/video_fb: Fix multiple integer overflows,
Daniel Kiper <=
- [SECURITY PATCH 053/117] loader/bsd: Check for NULL arg up-front, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 052/117] gfxmenu/gui_list: Remove code that coverity is flagging as dead, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 054/117] loader/xnu: Fix memory leak, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 055/117] loader/xnu: Free driverkey data when an error is detected in grub_xnu_writetree_toheap(), Daniel Kiper, 2021/03/02
- [SECURITY PATCH 056/117] loader/xnu: Check if pointer is NULL before using it, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 057/117] util/grub-install: Fix NULL pointer dereferences, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 058/117] util/grub-editenv: Fix incorrect casting of a signed value, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 059/117] util/glue-efi: Fix incorrect use of a possibly negative value, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 062/117] script/execute: Avoid crash when using "$#" outside a function scope, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 060/117] script/execute: Fix NULL dereference in grub_script_execute_cmdline(), Daniel Kiper, 2021/03/02