[SECURITY PATCH 11/30] video/readers/jpeg: Abort sooner if a read operat

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SECURITY PATCH 11/30] video/readers/jpeg: Abort sooner if a read operat

From:	Daniel Kiper
Subject:	[SECURITY PATCH 11/30] video/readers/jpeg: Abort sooner if a read operation fails
Date:	Tue, 7 Jun 2022 19:01:20 +0200

From: Daniel Axtens <dja@axtens.net>

Fuzzing revealed some inputs that were taking a long time, potentially
forever, because they did not bail quickly upon encountering an I/O error.

Try to catch I/O errors sooner and bail out.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/video/readers/jpeg.c | 86 ++++++++++++++++++++++++++++++++++--------
 1 file changed, 70 insertions(+), 16 deletions(-)

diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
index c47ffd651..806c56c78 100644
--- a/grub-core/video/readers/jpeg.c
+++ b/grub-core/video/readers/jpeg.c
@@ -109,9 +109,17 @@ static grub_uint8_t
 grub_jpeg_get_byte (struct grub_jpeg_data *data)
 {
   grub_uint8_t r;
+  grub_ssize_t bytes_read;
 
   r = 0;
-  grub_file_read (data->file, &r, 1);
+  bytes_read = grub_file_read (data->file, &r, 1);
+
+  if (bytes_read != 1)
+    {
+      grub_error (GRUB_ERR_BAD_FILE_TYPE,
+                 "jpeg: unexpected end of data");
+      return 0;
+    }
 
   return r;
 }
@@ -120,9 +128,17 @@ static grub_uint16_t
 grub_jpeg_get_word (struct grub_jpeg_data *data)
 {
   grub_uint16_t r;
+  grub_ssize_t bytes_read;
 
   r = 0;
-  grub_file_read (data->file, &r, sizeof (grub_uint16_t));
+  bytes_read = grub_file_read (data->file, &r, sizeof (grub_uint16_t));
+
+  if (bytes_read != sizeof (grub_uint16_t))
+    {
+      grub_error (GRUB_ERR_BAD_FILE_TYPE,
+                 "jpeg: unexpected end of data");
+      return 0;
+    }
 
   return grub_be_to_cpu16 (r);
 }
@@ -135,6 +151,11 @@ grub_jpeg_get_bit (struct grub_jpeg_data *data)
   if (data->bit_mask == 0)
     {
       data->bit_save = grub_jpeg_get_byte (data);
+      if (grub_errno != GRUB_ERR_NONE) {
+       grub_error (GRUB_ERR_BAD_FILE_TYPE,
+                   "jpeg: file read error");
+       return 0;
+      }
       if (data->bit_save == JPEG_ESC_CHAR)
        {
          if (grub_jpeg_get_byte (data) != 0)
@@ -143,6 +164,11 @@ grub_jpeg_get_bit (struct grub_jpeg_data *data)
                          "jpeg: invalid 0xFF in data stream");
              return 0;
            }
+         if (grub_errno != GRUB_ERR_NONE)
+           {
+             grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: file read error");
+             return 0;
+           }
        }
       data->bit_mask = 0x80;
     }
@@ -161,7 +187,7 @@ grub_jpeg_get_number (struct grub_jpeg_data *data, int num)
     return 0;
 
   msb = value = grub_jpeg_get_bit (data);
-  for (i = 1; i < num; i++)
+  for (i = 1; i < num && grub_errno == GRUB_ERR_NONE; i++)
     value = (value << 1) + (grub_jpeg_get_bit (data) != 0);
   if (!msb)
     value += 1 - (1 << num);
@@ -208,6 +234,8 @@ grub_jpeg_decode_huff_table (struct grub_jpeg_data *data)
   while (data->file->offset + sizeof (count) + 1 <= next_marker)
     {
       id = grub_jpeg_get_byte (data);
+      if (grub_errno != GRUB_ERR_NONE)
+       return grub_errno;
       ac = (id >> 4) & 1;
       id &= 0xF;
       if (id > 1)
@@ -258,6 +286,8 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data)
 
   next_marker = data->file->offset;
   next_marker += grub_jpeg_get_word (data);
+  if (grub_errno != GRUB_ERR_NONE)
+    return grub_errno;
 
   if (next_marker > data->file->size)
     {
@@ -269,6 +299,8 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data)
         <= next_marker)
     {
       id = grub_jpeg_get_byte (data);
+      if (grub_errno != GRUB_ERR_NONE)
+        return grub_errno;
       if (id >= 0x10)          /* Upper 4-bit is precision.  */
        return grub_error (GRUB_ERR_BAD_FILE_TYPE,
                           "jpeg: only 8-bit precision is supported");
@@ -300,6 +332,9 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
   next_marker = data->file->offset;
   next_marker += grub_jpeg_get_word (data);
 
+  if (grub_errno != GRUB_ERR_NONE)
+    return grub_errno;
+
   if (grub_jpeg_get_byte (data) != 8)
     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
                       "jpeg: only 8-bit precision is supported");
@@ -325,6 +360,8 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
        return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid index");
 
       ss = grub_jpeg_get_byte (data);  /* Sampling factor.  */
+      if (grub_errno != GRUB_ERR_NONE)
+       return grub_errno;
       if (!id)
        {
          grub_uint8_t vs, hs;
@@ -504,7 +541,7 @@ grub_jpeg_idct_transform (jpeg_data_unit_t du)
     }
 }
 
-static void
+static grub_err_t
 grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
 {
   int h1, h2, qt;
@@ -519,6 +556,9 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, 
jpeg_data_unit_t du)
   data->dc_value[id] +=
     grub_jpeg_get_number (data, grub_jpeg_get_huff_code (data, h1));
 
+  if (grub_errno != GRUB_ERR_NONE)
+    return grub_errno;
+
   du[0] = data->dc_value[id] * (int) data->quan_table[qt][0];
   pos = 1;
   while (pos < ARRAY_SIZE (data->quan_table[qt]))
@@ -533,11 +573,13 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, 
jpeg_data_unit_t du)
       num >>= 4;
       pos += num;
 
+      if (grub_errno != GRUB_ERR_NONE)
+        return grub_errno;
+
       if (pos >= ARRAY_SIZE (jpeg_zigzag_order))
        {
-         grub_error (GRUB_ERR_BAD_FILE_TYPE,
-                     "jpeg: invalid position in zigzag order!?");
-         return;
+         return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+                            "jpeg: invalid position in zigzag order!?");
        }
 
       du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];
@@ -545,6 +587,7 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, 
jpeg_data_unit_t du)
     }
 
   grub_jpeg_idct_transform (du);
+  return GRUB_ERR_NONE;
 }
 
 static void
@@ -603,7 +646,8 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
   data_offset += grub_jpeg_get_word (data);
 
   cc = grub_jpeg_get_byte (data);
-
+  if (grub_errno != GRUB_ERR_NONE)
+    return grub_errno;
   if (cc != 3 && cc != 1)
     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
                       "jpeg: component count must be 1 or 3");
@@ -616,7 +660,8 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
       id = grub_jpeg_get_byte (data) - 1;
       if ((id < 0) || (id >= 3))
        return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid index");
-
+      if (grub_errno != GRUB_ERR_NONE)
+       return grub_errno;
       ht = grub_jpeg_get_byte (data);
       data->comp_index[id][1] = (ht >> 4);
       data->comp_index[id][2] = (ht & 0xF) + 2;
@@ -624,11 +669,14 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
       if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) ||
          (data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3))
        return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable 
index");
+      if (grub_errno != GRUB_ERR_NONE)
+       return grub_errno;
     }
 
   grub_jpeg_get_byte (data);   /* Skip 3 unused bytes.  */
   grub_jpeg_get_word (data);
-
+  if (grub_errno != GRUB_ERR_NONE)
+    return grub_errno;
   if (data->file->offset != data_offset)
     return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: extra byte in sos");
 
@@ -646,6 +694,7 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
 {
   unsigned c1, vb, hb, nr1, nc1;
   int rst = data->dri;
+  grub_err_t err = GRUB_ERR_NONE;
 
   vb = 8 << data->log_vs;
   hb = 8 << data->log_hs;
@@ -666,17 +715,22 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
 
        for (r2 = 0; r2 < (1U << data->log_vs); r2++)
          for (c2 = 0; c2 < (1U << data->log_hs); c2++)
-           grub_jpeg_decode_du (data, 0, data->ydu[r2 * 2 + c2]);
+            {
+              err = grub_jpeg_decode_du (data, 0, data->ydu[r2 * 2 + c2]);
+              if (err != GRUB_ERR_NONE)
+                return err;
+            }
 
        if (data->color_components >= 3)
          {
-           grub_jpeg_decode_du (data, 1, data->cbdu);
-           grub_jpeg_decode_du (data, 2, data->crdu);
+           err = grub_jpeg_decode_du (data, 1, data->cbdu);
+           if (err != GRUB_ERR_NONE)
+             return err;
+           err = grub_jpeg_decode_du (data, 2, data->crdu);
+           if (err != GRUB_ERR_NONE)
+             return err;
          }
 
-       if (grub_errno)
-         return grub_errno;
-
        nr2 = (data->r1 == nr1 - 1) ? (data->image_height - data->r1 * vb) : vb;
        nc2 = (c1 == nc1 - 1) ? (data->image_width - c1 * hb) : hb;
 
-- 
2.11.0

[Prev in Thread]

Current Thread

[Next in Thread]

[SECURITY PATCH 00/30] Multiple GRUB2 vulnerabilities - 2022/06/07 round, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 02/30] commands/boot: Add API to pass context to loader, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 01/30] loader/efi/chainloader: Simplify the loader state, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 04/30] kern/efi/sb: Reject non-kernel files in the shim_lock verifier, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 13/30] video/readers/jpeg: Refuse to handle multiple start of streams, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 11/30] video/readers/jpeg: Abort sooner if a read operation fails, Daniel Kiper <=
- [SECURITY PATCH 16/30] net/ip: Do IP fragment maths safely, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 05/30] kern/file: Do not leak device_name on error in grub_file_open(), Daniel Kiper, 2022/06/07
- [SECURITY PATCH 26/30] fs/f2fs: Do not read past the end of nat bitmap, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 12/30] video/readers/jpeg: Do not reallocate a given huff table, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 03/30] loader/efi/chainloader: Use grub_loader_set_ex(), Daniel Kiper, 2022/06/07
- [SECURITY PATCH 10/30] video/readers/png: Sanity check some huffman codes, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 09/30] video/readers/png: Avoid heap OOB R/W inserting huff table items, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 07/30] video/readers/png: Refuse to handle multiple image headers, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 15/30] normal/charset: Fix array out-of-bounds formatting unicode for display, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 19/30] net/dns: Don't read past the end of the string we're checking against, Daniel Kiper, 2022/06/07

Prev by Date: [SECURITY PATCH 13/30] video/readers/jpeg: Refuse to handle multiple start of streams
Next by Date: [SECURITY PATCH 16/30] net/ip: Do IP fragment maths safely
Previous by thread: [SECURITY PATCH 13/30] video/readers/jpeg: Refuse to handle multiple start of streams
Next by thread: [SECURITY PATCH 16/30] net/ip: Do IP fragment maths safely
Index(es):
- Date
- Thread