git.ipfire.org Git - thirdparty/grub.git/commit

author	Daniel Axtens <dja@axtens.net>
	Tue, 6 Jul 2021 08:51:35 +0000 (18:51 +1000)
committer	Daniel Kiper <daniel.kiper@oracle.com>
	Tue, 7 Jun 2022 14:39:32 +0000 (16:39 +0200)
commit	e623866d9286410156e8b9d2c82d6253a1b22d08
tree	df1e17fe26ea48a8acc26b030bd9410964e9cecd	tree
parent	347880a13c239b4c2811c94c9a7cf78b607332e3	commit \| diff

video/readers/png: Drop greyscale support to fix heap out-of-bounds write

A 16-bit greyscale PNG without alpha is processed in the following loop:

      for (i = 0; i < (data->image_width * data->image_height);
   i++, d1 += 4, d2 += 2)
{
  d1[R3] = d2[1];
  d1[G3] = d2[1];
  d1[B3] = d2[1];
}

The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration,
but there are only 3 bytes allocated for storage. This means that image
data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes
out of every 4 following the end of the image.

This has existed since greyscale support was added in 2013 in commit
3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale).

Saving starfield.png as a 16-bit greyscale image without alpha in the gimp
and attempting to load it causes grub-emu to crash - I don't think this code
has ever worked.

Delete all PNG greyscale support.

Fixes: CVE-2021-3695
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>