boot: add checks for invalid splash images in UKI

A malformed bmp with 8bits depth but smaller color
map would cause out of bounds reads. This is not a real
problem as the image is signed, but better to be safe.

Reported on yeswehack.com as:
YWH-PGM9780-135

Follow-up for 0fa2cac4f0cdefaf1addd7f1fe0fd8113db9360b

diff --git a/src/boot/splash.c b/src/boot/splash.c
index 86d4238eb163293bea33457ee1c7cda5ae480ce1..19bd4bff74a51ab2b263c727288f84d87ae47c28 100644 (file)
--- a/src/boot/splash.c
+++ b/src/boot/splash.c
@@ -119,6 +119,12 @@ static EFI_STATUS bmp_parse_header(
                         return EFI_INVALID_PARAMETER;
         }
 
+        /* Ensure there can be no OOB accesses in bmp_to_blt() due to malformed images (e.g.: color depth 8
+         * but smaller color map) via map[*in]. */
+        if (IN_SET(dib->depth, 1, 4, 8) &&
+            file->offset - (sizeof(struct bmp_file) + dib->size) < sizeof(struct bmp_map) * (1U << dib->depth))
+                return EFI_INVALID_PARAMETER;
+
         *ret_map = map;
         *ret_dib = dib;
         *pixmap = bmp + file->offset;