| 12345678910111213141516171819202122232425262728293031323334 |
- From e170edd18fcfdd9e6f91ba750fd022cef8d43cd4 Mon Sep 17 00:00:00 2001
- From: Daniel Axtens <dja@axtens.net>
- Date: Tue, 6 Jul 2021 14:13:40 +1000
- Subject: [PATCH] video/readers/png: Refuse to handle multiple image headers
- This causes the bitmap to be leaked. Do not permit multiple image headers.
- Signed-off-by: Daniel Axtens <dja@axtens.net>
- Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
- Upstream: 166a4d61448f74745afe1dac2f2cfb85d04909bf
- [Thomas: needed to cherry-pick
- e623866d9286410156e8b9d2c82d6253a1b22d08, which fixes CVE-2021-3695]
- Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- ---
- grub-core/video/readers/png.c | 3 +++
- 1 file changed, 3 insertions(+)
- diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
- index d715c4629..35ae553c8 100644
- --- a/grub-core/video/readers/png.c
- +++ b/grub-core/video/readers/png.c
- @@ -258,6 +258,9 @@ grub_png_decode_image_header (struct grub_png_data *data)
- int color_bits;
- enum grub_video_blit_format blt;
-
- + if (data->image_width || data->image_height)
- + return grub_error (GRUB_ERR_BAD_FILE_TYPE, "png: two image headers found");
- +
- data->image_width = grub_png_get_dword (data);
- data->image_height = grub_png_get_dword (data);
-
- --
- 2.41.0
|
