From: Daniel Kiper <daniel.kiper@oracle.com>
Date: Tue, 7 Jul 2020 13:36:26 +0000 (+0200)
Subject: font: Do not load more than one NAME section
X-Git-Tag: grub-2.06-rc1~240
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=89f3da1a3d14023eda182e075919dd584031ecad;p=thirdparty%2Fgrub.git

font: Do not load more than one NAME section

The GRUB font file can have one NAME section only. Though if somebody
crafts a broken font file with many NAME sections and loads it then the
GRUB leaks memory. So, prevent against that by loading first NAME
section and failing in controlled way on following one.

Reported-by: Chris Coulson <chris.coulson@canonical.com>
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
---

diff --git a/grub-core/font/font.c b/grub-core/font/font.c
index 5edb477ac..d09bb38d8 100644
--- a/grub-core/font/font.c
+++ b/grub-core/font/font.c
@@ -532,6 +532,12 @@ grub_font_load (const char *filename)
       if (grub_memcmp (section.name, FONT_FORMAT_SECTION_NAMES_FONT_NAME,
 		       sizeof (FONT_FORMAT_SECTION_NAMES_FONT_NAME) - 1) == 0)
 	{
+	  if (font->name != NULL)
+	    {
+	      grub_error (GRUB_ERR_BAD_FONT, "invalid font file: too many NAME sections");
+	      goto fail;
+	    }
+
 	  font->name = read_section_as_string (&section);
 	  if (!font->name)
 	    goto fail;