Почетна Преглед Помоћ
Регистрација Пријавите се
PUBLIC_REPOS
/
buildroot
огледало од git://git.buildroot.net/buildroot
2
1
Креирај огранак 0
Датотеке
Грана: 2023.02.x
Гране Ознаке
buildroot
/
boot
/
grub2
/
0018-font-Fix-an-integer-underflow-in-blit_comb.patch

0018-font-Fix-an-integer-underflow-in-blit_comb.patch 4.0 KB
Пермалинк Историја Датотека

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293 
  1. From 79bd19e078c5053d800b1b4d3a901083da947e70 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Zhang Boyang <zhangboyang.id@gmail.com>
    3. 

  3. Date: Mon, 24 Oct 2022 08:05:35 +0800
    4. 

  4. Subject: [PATCH] font: Fix an integer underflow in blit_comb()
    5. 

  5. 

  6. The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
    7. 

  7. evaluate to a very big invalid value even if both ctx.bounds.height and
    8. 

  8. combining_glyphs[i]->height are small integers. For example, if
    9. 

  9. ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
    10. 

  10. expression evaluates to 2147483647 (expected -1). This is because
    11. 

  11. coordinates are allowed to be negative but ctx.bounds.height is an
    12. 

  12. unsigned int. So, the subtraction operates on unsigned ints and
    13. 

  13. underflows to a very big value. The division makes things even worse.
    14. 

  14. The quotient is still an invalid value even if converted back to int.
    15. 

  15. 

  16. This patch fixes the problem by casting ctx.bounds.height to int. As
    17. 

  17. a result the subtraction will operate on int and grub_uint16_t which
    18. 

  18. will be promoted to an int. So, the underflow will no longer happen. Other
    19. 

  19. uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
    20. 

  20. to ensure coordinates are always calculated on signed integers.
    21. 

  21. 

  22. Fixes: CVE-2022-3775
    23. 

  23. 

  24. Reported-by: Daniel Axtens <dja@axtens.net>
    25. 

  25. Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
    26. 

  26. Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
    27. 

  27. Upstream: 992c06191babc1e109caf40d6a07ec6fdef427af
    28. 

  28. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
    29. 

  29. ---
    30. 

  30.  grub-core/font/font.c | 16 ++++++++--------
    31. 

  31.  1 file changed, 8 insertions(+), 8 deletions(-)
    32. 

  32. 

  33. diff --git a/grub-core/font/font.c b/grub-core/font/font.c
    34. 

  34. index 0ff552578..7b1cbde07 100644
    35. 

  35. --- a/grub-core/font/font.c
    36. 

  36. +++ b/grub-core/font/font.c
    37. 

  37. @@ -1206,12 +1206,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
    38. 

  38.    ctx.bounds.height = main_glyph->height;
    39. 

  39.  
    40. 

  40.    above_rightx = main_glyph->offset_x + main_glyph->width;
    41. 

  41. -  above_righty = ctx.bounds.y + ctx.bounds.height;
    42. 

  42. +  above_righty = ctx.bounds.y + (int) ctx.bounds.height;
    43. 

  43.  
    44. 

  44.    above_leftx = main_glyph->offset_x;
    45. 

  45. -  above_lefty = ctx.bounds.y + ctx.bounds.height;
    46. 

  46. +  above_lefty = ctx.bounds.y + (int) ctx.bounds.height;
    47. 

  47.  
    48. 

  48. -  below_rightx = ctx.bounds.x + ctx.bounds.width;
    49. 

  49. +  below_rightx = ctx.bounds.x + (int) ctx.bounds.width;
    50. 

  50.    below_righty = ctx.bounds.y;
    51. 

  51.  
    52. 

  52.    comb = grub_unicode_get_comb (glyph_id);
    53. 

  53. @@ -1224,7 +1224,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
    54. 

  54.  
    55. 

  55.        if (!combining_glyphs[i])
    56. 

  56.  	continue;
    57. 

  57. -      targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
    58. 

  58. +      targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
    59. 

  59.        /* CGJ is to avoid diacritics reordering. */
    60. 

  60.        if (comb[i].code
    61. 

  61.  	  == GRUB_UNICODE_COMBINING_GRAPHEME_JOINER)
    62. 

  62. @@ -1234,8 +1234,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
    63. 

  63.  	case GRUB_UNICODE_COMB_OVERLAY:
    64. 

  64.  	  do_blit (combining_glyphs[i],
    65. 

  65.  		   targetx,
    66. 

  66. -		   (ctx.bounds.height - combining_glyphs[i]->height) / 2
    67. 

  67. -		   - (ctx.bounds.height + ctx.bounds.y), &ctx);
    68. 

  68. +		   ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2
    69. 

  69. +		   - ((int) ctx.bounds.height + ctx.bounds.y), &ctx);
    70. 

  70.  	  if (min_devwidth < combining_glyphs[i]->width)
    71. 

  71.  	    min_devwidth = combining_glyphs[i]->width;
    72. 

  72.  	  break;
    73. 

  73. @@ -1308,7 +1308,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
    74. 

  74.  	  /* Fallthrough.  */
    75. 

  75.  	case GRUB_UNICODE_STACK_ATTACHED_ABOVE:
    76. 

  76.  	  do_blit (combining_glyphs[i], targetx,
    77. 

  77. -		   -(ctx.bounds.height + ctx.bounds.y + space
    78. 

  78. +		   -((int) ctx.bounds.height + ctx.bounds.y + space
    79. 

  79.  		     + combining_glyphs[i]->height), &ctx);
    80. 

  80.  	  if (min_devwidth < combining_glyphs[i]->width)
    81. 

  81.  	    min_devwidth = combining_glyphs[i]->width;
    82. 

  82. @@ -1316,7 +1316,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
    83. 

  83.  
    84. 

  84.  	case GRUB_UNICODE_COMB_HEBREW_DAGESH:
    85. 

  85.  	  do_blit (combining_glyphs[i], targetx,
    86. 

  86. -		   -(ctx.bounds.height / 2 + ctx.bounds.y
    87. 

  87. +		   -((int) ctx.bounds.height / 2 + ctx.bounds.y
    88. 

  88.  		     + combining_glyphs[i]->height / 2), &ctx);
    89. 

  89.  	  if (min_devwidth < combining_glyphs[i]->width)
    90. 

  90.  	    min_devwidth = combining_glyphs[i]->width;
    91. 

  91. -- 
    92. 

  92. 2.41.0
    93. 

  93.