video/readers/png: Sanity check some huffman codes

ASAN picked up two OOB global reads: we weren't checking if some code
values fit within the cplens or cpdext arrays. Check and throw an error
if not.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
index d7ed5aa6cf67adb15af02cba1c9a5224124528ed..7f2ba7849bd68e26895f5c851b54eea77dd31c80 100644 (file)
--- a/grub-core/video/readers/png.c
+++ b/grub-core/video/readers/png.c
@@ -753,6 +753,9 @@ grub_png_read_dynamic_block (struct grub_png_data *data)
          int len, dist, pos;
 
          n -= 257;
+         if (((unsigned int) n) >= ARRAY_SIZE (cplens))
+           return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+                              "png: invalid huff code");
          len = cplens[n];
          if (cplext[n])
            len += grub_png_get_bits (data, cplext[n]);
@@ -760,6 +763,9 @@ grub_png_read_dynamic_block (struct grub_png_data *data)
            return grub_errno;
 
          n = grub_png_get_huff_code (data, &data->dist_table);
+         if (((unsigned int) n) >= ARRAY_SIZE (cpdist))
+           return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+                              "png: invalid huff code");
          dist = cpdist[n];
          if (cpdext[n])
            dist += grub_png_get_bits (data, cpdext[n]);