[SECURITY PATCH 01/13] font: Reject glyphs exceeds font->max_glyph

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SECURITY PATCH 01/13] font: Reject glyphs exceeds font->max_glyph_width

From:	Daniel Kiper
Subject:	[SECURITY PATCH 01/13] font: Reject glyphs exceeds font->max_glyph_width or font->max_glyph_height
Date:	Tue, 15 Nov 2022 19:00:58 +0100

From: Zhang Boyang <zhangboyang.id@gmail.com>

Check glyph's width and height against limits specified in font's
metadata. Reject the glyph (and font) if such limits are exceeded.

Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/font/font.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/grub-core/font/font.c b/grub-core/font/font.c
index 42189c325..756ca0abf 100644
--- a/grub-core/font/font.c
+++ b/grub-core/font/font.c
@@ -760,7 +760,9 @@ grub_font_get_glyph_internal (grub_font_t font, 
grub_uint32_t code)
          || read_be_uint16 (font->file, &height) != 0
          || read_be_int16 (font->file, &xoff) != 0
          || read_be_int16 (font->file, &yoff) != 0
-         || read_be_int16 (font->file, &dwidth) != 0)
+         || read_be_int16 (font->file, &dwidth) != 0
+         || width > font->max_char_width
+         || height > font->max_char_height)
        {
          remove_font (font);
          return 0;
-- 
2.11.0

[Prev in Thread]

Current Thread

[Next in Thread]

[SECURITY PATCH 00/13] Multiple GRUB2 vulnerabilities - 2022/11/15, Daniel Kiper, 2022/11/15
- [SECURITY PATCH 01/13] font: Reject glyphs exceeds font->max_glyph_width or font->max_glyph_height, Daniel Kiper <=
- [SECURITY PATCH 02/13] font: Fix size overflow in grub_font_get_glyph_internal(), Daniel Kiper, 2022/11/15
- [SECURITY PATCH 03/13] font: Fix several integer overflows in grub_font_construct_glyph(), Daniel Kiper, 2022/11/15
- [SECURITY PATCH 04/13] font: Remove grub_font_dup_glyph(), Daniel Kiper, 2022/11/15
- [SECURITY PATCH 10/13] font: Fix an integer underflow in blit_comb(), Daniel Kiper, 2022/11/15
- [SECURITY PATCH 05/13] font: Fix integer overflow in ensure_comb_space(), Daniel Kiper, 2022/11/15
- [SECURITY PATCH 07/13] font: Fix integer underflow in binary search of char index, Daniel Kiper, 2022/11/15
- [SECURITY PATCH 08/13] kern/efi/sb: Enforce verification of font files, Daniel Kiper, 2022/11/15
- [SECURITY PATCH 09/13] fbutil: Fix integer overflow, Daniel Kiper, 2022/11/15
- [SECURITY PATCH 11/13] font: Harden grub_font_blit_glyph() and grub_font_blit_glyph_mirror(), Daniel Kiper, 2022/11/15
- [SECURITY PATCH 12/13] font: Assign null_font to glyphs in ascii_font_glyph[], Daniel Kiper, 2022/11/15

Prev by Date: [SECURITY PATCH 00/13] Multiple GRUB2 vulnerabilities - 2022/11/15
Next by Date: [SECURITY PATCH 02/13] font: Fix size overflow in grub_font_get_glyph_internal()
Previous by thread: [SECURITY PATCH 00/13] Multiple GRUB2 vulnerabilities - 2022/11/15
Next by thread: [SECURITY PATCH 02/13] font: Fix size overflow in grub_font_get_glyph_internal()
Index(es):
- Date
- Thread