git.ipfire.org Git - thirdparty/grub.git/commit

author	Zhang Boyang <zhangboyang.id@gmail.com>
	Mon, 5 Sep 2022 19:03:21 +0000 (03:03 +0800)
committer	Daniel Kiper <daniel.kiper@oracle.com>
	Mon, 14 Nov 2022 19:24:39 +0000 (20:24 +0100)
commit	1eac01c147b4d85d2ec4a7e5671fa4345f2e8549
tree	f9e5b515ae906a72c4f953237ef8ab729b9393aa	tree
parent	93a786a00163e50c29f0394df198518617e1c9a5	commit \| diff

fbutil: Fix integer overflow

Expressions like u64 = u32 * u32 are unsafe because their products are
truncated to u32 even if left hand side is u64. This patch fixes all
problems like that one in fbutil.

To get right result not only left hand side have to be u64 but it's also
necessary to cast at least one of the operands of all leaf operators of
right hand side to u64, e.g. u64 = u32 * u32 + u32 * u32 should be
u64 = (u64)u32 * u32 + (u64)u32 * u32.

For 1-bit bitmaps grub_uint64_t have to be used. It's safe because any
combination of values in (grub_uint64_t)u32 * u32 + u32 expression will
not overflow grub_uint64_t.

Other expressions like ptr + u32 * u32 + u32 * u32 are also vulnerable.
They should be ptr + (grub_addr_t)u32 * u32 + (grub_addr_t)u32 * u32.

This patch also adds a comment to grub_video_fb_get_video_ptr() which
says it's arguments must be valid and no sanity check is performed
(like its siblings in grub-core/video/fb/fbutil.c).

Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

grub-core/video/fb/fbutil.c		diff \| blob \| blame \| history
include/grub/fbutil.h		diff \| blob \| blame \| history