[PATCH 1/2] video/readers: Add artificial limit to image dimensions

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 1/2] video/readers: Add artificial limit to image dimensions

From:	Alec Brown
Subject:	[PATCH 1/2] video/readers: Add artificial limit to image dimensions
Date:	Thu, 20 Oct 2022 17:11:13 -0400

In grub-core/video/readers/jpeg.c, the height and width of a JPEG image don't
have an upper limit for how big the JPEG image can be. In coverity, this is
getting flagged as an untrusted loop bound. This issue can also seen in PNG and
TGA format images as well but coverity isn't flagging it. To prevent this, the
constant IMAGE_HW_MAX_PX is being added to bitmap.h, which has a value of 16384,
to act as an artifical limit and restrict the height and width of images. This
value was picked as it is double the current max resolution size, which is 8K.

Fixes: CID 292450

Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
---
 docs/grub.texi                 | 3 ++-
 grub-core/video/readers/jpeg.c | 6 +++++-
 grub-core/video/readers/png.c  | 6 +++++-
 grub-core/video/readers/tga.c  | 7 +++++++
 include/grub/bitmap.h          | 2 ++
 5 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/docs/grub.texi b/docs/grub.texi
index 9835c878a..d448ca969 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -1507,7 +1507,8 @@ resolution.  @xref{gfxmode}.
 Set a background image for use with the @samp{gfxterm} graphical terminal.
 The value of this option must be a file readable by GRUB at boot time, and
 it must end with @file{.png}, @file{.tga}, @file{.jpg}, or @file{.jpeg}.
-The image will be scaled if necessary to fit the screen.
+The image will be scaled if necessary to fit the screen. Image height and
+width will be restricted by an artificial limit of 16384.
 
 @item GRUB_THEME
 Set a theme for use with the @samp{gfxterm} graphical terminal.
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
index e31602f76..0eeea0e63 100644
--- a/grub-core/video/readers/jpeg.c
+++ b/grub-core/video/readers/jpeg.c
@@ -301,7 +301,11 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
   data->image_height = grub_jpeg_get_word (data);
   data->image_width = grub_jpeg_get_word (data);
 
-  if ((!data->image_height) || (!data->image_width))
+  grub_dprintf ("jpeg", "image height: %d\n", data->image_height);
+  grub_dprintf ("jpeg", "image width: %d\n", data->image_width);
+
+  if ((!data->image_height) || (!data->image_width) ||
+      (data->image_height > IMAGE_HW_MAX_PX) || (data->image_width > 
IMAGE_HW_MAX_PX))
     return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid image size");
 
   cc = grub_jpeg_get_byte (data);
diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
index 54dfedf43..d658cbb0e 100644
--- a/grub-core/video/readers/png.c
+++ b/grub-core/video/readers/png.c
@@ -252,7 +252,11 @@ grub_png_decode_image_header (struct grub_png_data *data)
   data->image_width = grub_png_get_dword (data);
   data->image_height = grub_png_get_dword (data);
 
-  if ((!data->image_height) || (!data->image_width))
+  grub_dprintf ("png", "image height: %d\n", data->image_height);
+  grub_dprintf ("png", "image width: %d\n", data->image_width);
+
+  if ((!data->image_height) || (!data->image_width) ||
+      (data->image_height > IMAGE_HW_MAX_PX) || (data->image_width > 
IMAGE_HW_MAX_PX))
     return grub_error (GRUB_ERR_BAD_FILE_TYPE, "png: invalid image size");
 
   color_bits = grub_png_get_byte (data);
diff --git a/grub-core/video/readers/tga.c b/grub-core/video/readers/tga.c
index a9ec3a1b6..f2f563d06 100644
--- a/grub-core/video/readers/tga.c
+++ b/grub-core/video/readers/tga.c
@@ -340,6 +340,13 @@ grub_video_reader_tga (struct grub_video_bitmap **bitmap,
   data.image_width = grub_le_to_cpu16 (data.hdr.image_width);
   data.image_height = grub_le_to_cpu16 (data.hdr.image_height);
 
+  grub_dprintf ("tga", "image height: %d\n", data.image_height);
+  grub_dprintf ("tga", "image width: %d\n", data.image_width);
+
+  /* Check image height and width are within restrictions */
+  if ((data.image_height > IMAGE_HW_MAX_PX) || (data.image_width > 
IMAGE_HW_MAX_PX))
+    return grub_error (GRUB_ERR_BAD_FILE_TYPE, "tga: invalid image size");
+
   /* Check that bitmap encoding is supported.  */
   switch (data.hdr.image_type)
     {
diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h
index 5728f8ca3..149d37bfe 100644
--- a/include/grub/bitmap.h
+++ b/include/grub/bitmap.h
@@ -24,6 +24,8 @@
 #include <grub/types.h>
 #include <grub/video.h>
 
+#define IMAGE_HW_MAX_PX                16384
+
 struct grub_video_bitmap
 {
   /* Bitmap format description.  */
-- 
2.27.0

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 0/2] Fix Coverity untrusted loop bound bugs in jpeg.c, Alec Brown, 2022/10/20
- [PATCH 2/2] video/readers/jpeg: Check next_marker is within file size, Alec Brown, 2022/10/20
  - Re: [PATCH 2/2] video/readers/jpeg: Check next_marker is within file size, Daniel Axtens, 2022/10/21
    - Re: [External] : Re: [PATCH 2/2] video/readers/jpeg: Check next_marker is within file size, Alec Brown, 2022/10/26
- [PATCH 1/2] video/readers: Add artificial limit to image dimensions, Alec Brown <=
- Re: [PATCH 0/2] Fix Coverity untrusted loop bound bugs in jpeg.c, Daniel Kiper, 2022/10/21

Prev by Date: [PATCH 2/2] video/readers/jpeg: Check next_marker is within file size
Next by Date: [PATCH 0/2] Fix Coverity untrusted loop bound bugs in jpeg.c
Previous by thread: Re: [External] : Re: [PATCH 2/2] video/readers/jpeg: Check next_marker is within file size
Next by thread: Re: [PATCH 0/2] Fix Coverity untrusted loop bound bugs in jpeg.c
Index(es):
- Date
- Thread