jpeg: Do not permit duplicate SOF0 markers in JPEG

Daniel Kiper via Grub-devel Tue, 18 Feb 2025 10:05:07 -0800

From: Daniel Axtens <[email protected]>

Otherwise a subsequent header could change the height and width
allowing future OOB writes.


Fixes: CVE-2024-45774

Reported-by: Nils Langius <[email protected]>
Signed-off-by: Daniel Axtens <[email protected]>
Reviewed-by: Daniel Kiper <[email protected]>
---
 grub-core/video/readers/jpeg.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
index ae634fd41..631a89356 100644
--- a/grub-core/video/readers/jpeg.c
+++ b/grub-core/video/readers/jpeg.c
@@ -339,6 +339,10 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
   if (grub_errno != GRUB_ERR_NONE)
     return grub_errno;
 
+  if (data->image_height != 0 || data->image_width != 0)
+    return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+                      "jpeg: cannot have duplicate SOF0 markers");
+
   if (grub_jpeg_get_byte (data) != 8)
     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
                       "jpeg: only 8-bit precision is supported");
-- 
2.11.0


_______________________________________________
Grub-devel mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/grub-devel

[SECURITY PATCH 32/73] video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG

Reply via email to