git.proxmox.com Git - grub2.git/commit

author	Zhang Boyang <zhangboyang.id@gmail.com>
	Mon, 24 Oct 2022 00:05:35 +0000 (08:05 +0800)
committer	Steve McIntyre <93sam@debian.org>
	Sat, 12 Nov 2022 22:51:49 +0000 (22:51 +0000)
commit	f0d0d3e0d1cb84cba178b035b03a7b6041df0277
tree	c3ecc72561ab2f4d0cf41007ca307a7c3cb8df2b	tree
parent	c2491cb80ccca7306cc5e5c2f1b19c8a60409105	commit \| diff

font: Fix an integer underflow in blit_comb()

The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
evaluate to a very big invalid value even if both ctx.bounds.height and
combining_glyphs[i]->height are small integers. For example, if
ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
expression evaluates to 2147483647 (expected -1). This is because
coordinates are allowed to be negative but ctx.bounds.height is an
unsigned int. So, the subtraction operates on unsigned ints and
underflows to a very big value. The division makes things even worse.
The quotient is still an invalid value even if converted back to int.

This patch fixes the problem by casting ctx.bounds.height to int. As
a result the subtraction will operate on int and grub_uint16_t which
will be promoted to an int. So, the underflow will no longer happen. Other
uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
to ensure coordinates are always calculated on signed integers.

Fixes: CVE-2022-3775
Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

debian/patches/cve_2022_2601/0011-font-Fix-an-integer-underflow-in-blit_comb.patch	[new file with mode: 0644]	blob
grub-core/font/font.c		diff \| blob \| blame \| history