From: Ryan Cohen <rcohenprogramming@gmail.com>
Date: Sat, 26 Nov 2022 22:22:51 +0000 (-0500)
Subject: term/i386/pc/vga_text: Prevent out-of-bounds writes to VGA text buffer
X-Git-Tag: grub-2.12-rc1~206
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=108a3865f43330b581d35b9cf6ecb1e0a1da5d49;p=thirdparty%2Fgrub.git

term/i386/pc/vga_text: Prevent out-of-bounds writes to VGA text buffer

Coordinates passed to screen_write_char() did not have any checks to
ensure they are not out-of-bounds. This adds an if statement to prevent
out-of-bounds writes to the VGA text buffer.

Signed-off-by: Ryan Cohen <rcohenprogramming@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---

diff --git a/grub-core/term/i386/pc/vga_text.c b/grub-core/term/i386/pc/vga_text.c
index 669d06fad..b88fa9d2e 100644
--- a/grub-core/term/i386/pc/vga_text.c
+++ b/grub-core/term/i386/pc/vga_text.c
@@ -63,7 +63,8 @@ static grub_uint8_t cur_color = 0x7;
 static void
 screen_write_char (int x, int y, short c)
 {
-  VGA_TEXT_SCREEN[y * COLS + x] = grub_cpu_to_le16 (c);
+  if (x < COLS && y < ROWS && x >= 0 && y >= 0)
+    VGA_TEXT_SCREEN[y * COLS + x] = grub_cpu_to_le16 (c);
 }
 
 static short