[PATCH 1/1] jpeg: Fix possible invalid loop boundary condition

[PATCH 1/1] jpeg: Fix possible invalid loop boundary condition

[Darren Kenny]

The value of next_marker is adjusted based on the a word sized value
read from data->file.

The updated next_marker value should reference a location in the file
just beyond the huffman table, and as such should not have a value
larger than the size of the file.

Fixes: CID 73657

Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
---
 grub-core/video/readers/jpeg.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
index e31602f766ae..c47ffd65151e 100644
--- a/grub-core/video/readers/jpeg.c
+++ b/grub-core/video/readers/jpeg.c
@@ -199,6 +199,12 @@ grub_jpeg_decode_huff_table (struct grub_jpeg_data *data)
   next_marker = data->file->offset;
   next_marker += grub_jpeg_get_word (data);
 
+  if (next_marker > data->file->size)
+    {
+      return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+			 "jpeg: invalid huffman table");
+    }
+
   while (data->file->offset + sizeof (count) + 1 <= next_marker)
     {
       id = grub_jpeg_get_byte (data);
-- 
2.27.0

Re: [PATCH 1/1] jpeg: Fix possible invalid loop boundary condition

[Daniel Kiper]

On Tue, Apr 05, 2022 at 06:25:52PM +0000, Darren Kenny wrote:
> The value of next_marker is adjusted based on the a word sized value
> read from data->file.
>
> The updated next_marker value should reference a location in the file
> just beyond the huffman table, and as such should not have a value
> larger than the size of the file.
>
> Fixes: CID 73657
>
> Signed-off-by: Darren Kenny <darren.kenny@oracle.com>

Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

Daniel