tablet/grub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

video/readers/jpeg: Abort sooner if a read operation fails

Browse Source 
Fuzzing revealed some inputs that were taking a long time, potentially
forever, because they did not bail quickly upon encountering an I/O error.

Try to catch I/O errors sooner and bail out.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
Daniel Axtens 2021-06-28 14:16:14 +10:00 committed by Daniel Kiper
parent 690bee69fa
commit d5caac8ab7
1 changed files with 70 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
grub-core/video/readers/jpeg.c
View File

@ -109,9 +109,17 @@ static grub_uint8_t
grub_jpeg_get_byte (struct grub_jpeg_data *data)
{
grub_uint8_t r;
grub_ssize_t bytes_read;
r = 0;
grub_file_read (data->file, &r, 1);
bytes_read = grub_file_read (data->file, &r, 1);
if (bytes_read != 1)
{
grub_error (GRUB_ERR_BAD_FILE_TYPE,
"jpeg: unexpected end of data");
return 0;
}
return r;
}
@ -120,9 +128,17 @@ static grub_uint16_t
grub_jpeg_get_word (struct grub_jpeg_data *data)
{
grub_uint16_t r;
grub_ssize_t bytes_read;
r = 0;
grub_file_read (data->file, &r, sizeof (grub_uint16_t));
bytes_read = grub_file_read (data->file, &r, sizeof (grub_uint16_t));
if (bytes_read != sizeof (grub_uint16_t))
{
grub_error (GRUB_ERR_BAD_FILE_TYPE,
"jpeg: unexpected end of data");
return 0;
}
return grub_be_to_cpu16 (r);
}
@ -135,6 +151,11 @@ grub_jpeg_get_bit (struct grub_jpeg_data *data)
if (data->bit_mask == 0)
{
data->bit_save = grub_jpeg_get_byte (data);
if (grub_errno != GRUB_ERR_NONE) {
grub_error (GRUB_ERR_BAD_FILE_TYPE,
"jpeg: file read error");
return 0;
}
if (data->bit_save == JPEG_ESC_CHAR)
{
if (grub_jpeg_get_byte (data) != 0)
@ -143,6 +164,11 @@ grub_jpeg_get_bit (struct grub_jpeg_data *data)
"jpeg: invalid 0xFF in data stream");
return 0;
}
if (grub_errno != GRUB_ERR_NONE)
{
grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: file read error");
return 0;
}
}
data->bit_mask = 0x80;
}
@ -161,7 +187,7 @@ grub_jpeg_get_number (struct grub_jpeg_data *data, int num)
return 0;
msb = value = grub_jpeg_get_bit (data);
for (i = 1; i < num; i++)
for (i = 1; i < num && grub_errno == GRUB_ERR_NONE; i++)
value = (value << 1) + (grub_jpeg_get_bit (data) != 0);
if (!msb)
value += 1 - (1 << num);
@ -208,6 +234,8 @@ grub_jpeg_decode_huff_table (struct grub_jpeg_data *data)
while (data->file->offset + sizeof (count) + 1 <= next_marker)
{
id = grub_jpeg_get_byte (data);
if (grub_errno != GRUB_ERR_NONE)
return grub_errno;
ac = (id >> 4) & 1;
id &= 0xF;
if (id > 1)
@ -258,6 +286,8 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data)
next_marker = data->file->offset;
next_marker += grub_jpeg_get_word (data);
if (grub_errno != GRUB_ERR_NONE)
return grub_errno;
if (next_marker > data->file->size)
{
@ -269,6 +299,8 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data)
<= next_marker)
{
id = grub_jpeg_get_byte (data);
if (grub_errno != GRUB_ERR_NONE)
return grub_errno;
if (id >= 0x10) /* Upper 4-bit is precision. */
return grub_error (GRUB_ERR_BAD_FILE_TYPE,
"jpeg: only 8-bit precision is supported");
@ -300,6 +332,9 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
next_marker = data->file->offset;
next_marker += grub_jpeg_get_word (data);
if (grub_errno != GRUB_ERR_NONE)
return grub_errno;
if (grub_jpeg_get_byte (data) != 8)
return grub_error (GRUB_ERR_BAD_FILE_TYPE,
"jpeg: only 8-bit precision is supported");
@ -325,6 +360,8 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid index");
ss = grub_jpeg_get_byte (data); /* Sampling factor. */
if (grub_errno != GRUB_ERR_NONE)
return grub_errno;
if (!id)
{
grub_uint8_t vs, hs;
@ -504,7 +541,7 @@ grub_jpeg_idct_transform (jpeg_data_unit_t du)
}
}
static void
static grub_err_t
grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
{
int h1, h2, qt;
@ -519,6 +556,9 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
data->dc_value[id] +=
grub_jpeg_get_number (data, grub_jpeg_get_huff_code (data, h1));
if (grub_errno != GRUB_ERR_NONE)
return grub_errno;
du[0] = data->dc_value[id] * (int) data->quan_table[qt][0];
pos = 1;
while (pos < ARRAY_SIZE (data->quan_table[qt]))
@ -533,11 +573,13 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
num >>= 4;
pos += num;
if (grub_errno != GRUB_ERR_NONE)
return grub_errno;
if (pos >= ARRAY_SIZE (jpeg_zigzag_order))
{
grub_error (GRUB_ERR_BAD_FILE_TYPE,
"jpeg: invalid position in zigzag order!?");
return;
return grub_error (GRUB_ERR_BAD_FILE_TYPE,
"jpeg: invalid position in zigzag order!?");
}
du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];
@ -545,6 +587,7 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
}
grub_jpeg_idct_transform (du);
return GRUB_ERR_NONE;
}
static void
@ -603,7 +646,8 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
data_offset += grub_jpeg_get_word (data);
cc = grub_jpeg_get_byte (data);
if (grub_errno != GRUB_ERR_NONE)
return grub_errno;
if (cc != 3 && cc != 1)
return grub_error (GRUB_ERR_BAD_FILE_TYPE,
"jpeg: component count must be 1 or 3");
@ -616,7 +660,8 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
id = grub_jpeg_get_byte (data) - 1;
if ((id < 0) || (id >= 3))
return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid index");
if (grub_errno != GRUB_ERR_NONE)
return grub_errno;
ht = grub_jpeg_get_byte (data);
data->comp_index[id][1] = (ht >> 4);
data->comp_index[id][2] = (ht & 0xF) + 2;
@ -624,11 +669,14 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) ||
(data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3))
return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index");
if (grub_errno != GRUB_ERR_NONE)
return grub_errno;
}
grub_jpeg_get_byte (data); /* Skip 3 unused bytes. */
grub_jpeg_get_word (data);
if (grub_errno != GRUB_ERR_NONE)
return grub_errno;
if (data->file->offset != data_offset)
return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: extra byte in sos");
@ -646,6 +694,7 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
{
unsigned c1, vb, hb, nr1, nc1;
int rst = data->dri;
grub_err_t err = GRUB_ERR_NONE;
vb = 8 << data->log_vs;
hb = 8 << data->log_hs;
@ -666,17 +715,22 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
for (r2 = 0; r2 < (1U << data->log_vs); r2++)
for (c2 = 0; c2 < (1U << data->log_hs); c2++)
grub_jpeg_decode_du (data, 0, data->ydu[r2 * 2 + c2]);
{
err = grub_jpeg_decode_du (data, 0, data->ydu[r2 * 2 + c2]);
if (err != GRUB_ERR_NONE)
return err;
}
if (data->color_components >= 3)
{
grub_jpeg_decode_du (data, 1, data->cbdu);
grub_jpeg_decode_du (data, 2, data->crdu);
err = grub_jpeg_decode_du (data, 1, data->cbdu);
if (err != GRUB_ERR_NONE)
return err;
err = grub_jpeg_decode_du (data, 2, data->crdu);
if (err != GRUB_ERR_NONE)
return err;
}
if (grub_errno)
return grub_errno;
nr2 = (data->r1 == nr1 - 1) ? (data->image_height - data->r1 * vb) : vb;
nc2 = (c1 == nc1 - 1) ? (data->image_width - c1 * hb) : hb;