git.ipfire.org Git - thirdparty/grub.git/commit

author	Zhang Boyang <zhangboyang.id@gmail.com>
	Fri, 28 Oct 2022 13:31:39 +0000 (21:31 +0800)
committer	Daniel Kiper <daniel.kiper@oracle.com>
	Mon, 14 Nov 2022 19:24:39 +0000 (20:24 +0100)
commit	1514678888595ef41a968a0c69b7ff769edd1e9c
tree	a998e742a985ec0a4cf0df77a1bd13d29319c32f	tree
parent	22b77b87e10a3a6c9bb9885415bc9a9c678378e6	commit \| diff

normal/charset: Fix an integer overflow in grub_unicode_aglomerate_comb()

The out->ncomb is a bit-field of 8 bits. So, the max possible value is 255.
However, code in grub_unicode_aglomerate_comb() doesn't check for an
overflow when incrementing out->ncomb. If out->ncomb is already 255,
after incrementing it will get 0 instead of 256, and cause illegal
memory access in subsequent processing.

This patch introduces GRUB_UNICODE_NCOMB_MAX to represent the max
acceptable value of ncomb. The code now checks for this limit and
ignores additional combining characters when limit is reached.

Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

grub-core/normal/charset.c		diff \| blob \| blame \| history
include/grub/unicode.h		diff \| blob \| blame \| history