d10d6fb187
Porting patches from grub2_2.06-3~deb11u4 to fix CVE-2022-2601/CVE-2022-3775. The source code of grub2_2.06-3~deb11u4 is from: https://snapshot.debian.org/archive/debian/20221124T030451Z/ pool/main/g/grub2/grub2_2.06-3~deb11u4.debian.tar.xz Refer to above source code and this link for the fix: https://lists.gnu.org/archive/html/grub-devel/2022-11/msg00059.html The 1st patch in the list is for making proper context for the 14 patches of the 2 CVEs. No content changes for all the patches from debian release. We do this because grub2/grub-efi is ported from wrlinux for secure boot bringing up. Test plan: - PASS: build grub2/grub-efi. - PASS: build-image and install and boot up on lab/qemu. - PASS: check that the "stx.N" version number is right for both bios(grub2 ver) and uefi(grub-efi ver) boot. Closes-bug: 2020730 Signed-off-by: Li Zhou <li.zhou@windriver.com> Change-Id: Ia6c58a2021a786ef92f760b3cfe035fbccedacf7
87 lines
2.4 KiB
Diff
87 lines
2.4 KiB
Diff
From c140a086838e7c9af87842036f891b8393a8c4bc Mon Sep 17 00:00:00 2001
|
|
From: Zhang Boyang <zhangboyang.id@gmail.com>
|
|
Date: Sun, 14 Aug 2022 18:09:38 +0800
|
|
Subject: [PATCH 08/14] font: Fix integer underflow in binary search of char
|
|
index
|
|
|
|
If search target is less than all entries in font->index then "hi"
|
|
variable is set to -1, which translates to SIZE_MAX and leads to errors.
|
|
|
|
This patch fixes the problem by replacing the entire binary search code
|
|
with the libstdc++'s std::lower_bound() implementation.
|
|
|
|
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/font/font.c | 40 ++++++++++++++++++++++------------------
|
|
1 file changed, 22 insertions(+), 18 deletions(-)
|
|
|
|
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
|
|
index e4cb0d867..abd412a5e 100644
|
|
--- a/grub-core/font/font.c
|
|
+++ b/grub-core/font/font.c
|
|
@@ -688,12 +688,12 @@ read_be_int16 (grub_file_t file, grub_int16_t * value)
|
|
static inline struct char_index_entry *
|
|
find_glyph (const grub_font_t font, grub_uint32_t code)
|
|
{
|
|
- struct char_index_entry *table;
|
|
- grub_size_t lo;
|
|
- grub_size_t hi;
|
|
- grub_size_t mid;
|
|
+ struct char_index_entry *table, *first, *end;
|
|
+ grub_size_t len;
|
|
|
|
table = font->char_index;
|
|
+ if (table == NULL)
|
|
+ return NULL;
|
|
|
|
/* Use BMP index if possible. */
|
|
if (code < 0x10000 && font->bmp_idx)
|
|
@@ -706,25 +706,29 @@ find_glyph (const grub_font_t font, grub_uint32_t code)
|
|
*/
|
|
}
|
|
|
|
- /* Do a binary search in `char_index', which is ordered by code point. */
|
|
- lo = 0;
|
|
- hi = font->num_chars - 1;
|
|
-
|
|
- if (!table)
|
|
- return 0;
|
|
+ /*
|
|
+ * Do a binary search in char_index which is ordered by code point.
|
|
+ * The code below is the same as libstdc++'s std::lower_bound().
|
|
+ */
|
|
+ first = table;
|
|
+ len = font->num_chars;
|
|
+ end = first + len;
|
|
|
|
- while (lo <= hi)
|
|
+ while (len > 0)
|
|
{
|
|
- mid = lo + (hi - lo) / 2;
|
|
- if (code < table[mid].code)
|
|
- hi = mid - 1;
|
|
- else if (code > table[mid].code)
|
|
- lo = mid + 1;
|
|
+ grub_size_t half = len >> 1;
|
|
+ struct char_index_entry *middle = first + half;
|
|
+
|
|
+ if (middle->code < code)
|
|
+ {
|
|
+ first = middle + 1;
|
|
+ len = len - half - 1;
|
|
+ }
|
|
else
|
|
- return &table[mid];
|
|
+ len = half;
|
|
}
|
|
|
|
- return 0;
|
|
+ return (first < end && first->code == code) ? first : NULL;
|
|
}
|
|
|
|
/* Get a glyph for the Unicode character CODE in FONT. The glyph is loaded
|
|
--
|
|
2.30.2
|
|
|