term/i386/pc/vga_text: Prevent out-of-bounds writes to VGA text buffer

Coordinates passed to screen_write_char() did not have any checks to
ensure they are not out-of-bounds. This adds an if statement to prevent
out-of-bounds writes to the VGA text buffer.

Signed-off-by: Ryan Cohen <rcohenprogramming@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/term/i386/pc/vga_text.c b/grub-core/term/i386/pc/vga_text.c
index 669d06fad765756e22ac9ffb0247f25df15a2523..b88fa9d2e0164fae6dbbcb5f2957eb27b1527d69 100644 (file)
--- a/grub-core/term/i386/pc/vga_text.c
+++ b/grub-core/term/i386/pc/vga_text.c
@@ -63,7 +63,8 @@ static grub_uint8_t cur_color = 0x7;
 static void
 screen_write_char (int x, int y, short c)
 {
-  VGA_TEXT_SCREEN[y * COLS + x] = grub_cpu_to_le16 (c);
+  if (x < COLS && y < ROWS && x >= 0 && y >= 0)
+    VGA_TEXT_SCREEN[y * COLS + x] = grub_cpu_to_le16 (c);
 }
 
 static short