Commit graph

77 commits

Author SHA1 Message Date
Alexey Makhalov
26a8c19307 gfxmenu: Fix double free in load_image()
self->bitmap should be zeroed after free. Otherwise, there is a chance
to double free (USE_AFTER_FREE) it later in rescale_image().

Fixes: CID 292472

Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2020-07-29 16:55:48 +02:00
Peter Jones
f725fa7cb2 calloc: Use calloc() at most places
This modifies most of the places we do some form of:

  X = malloc(Y * Z);

to use calloc(Y, Z) instead.

Among other issues, this fixes:
  - allocation of integer overflow in grub_png_decode_image_header()
    reported by Chris Coulson,
  - allocation of integer overflow in luks_recover_key()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_lvm_detect()
    reported by Chris Coulson.

Fixes: CVE-2020-14308

Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2020-07-29 16:55:47 +02:00
Peter Jones
d5a32255de misc: Make grub_strtol() "end" pointers have safer const qualifiers
Currently the string functions grub_strtol(), grub_strtoul(), and
grub_strtoull() don't declare the "end" pointer in such a way as to
require the pointer itself or the character array to be immutable to the
implementation, nor does the C standard do so in its similar functions,
though it does require us not to change any of it.

The typical declarations of these functions follow this pattern:

long
strtol(const char * restrict nptr, char ** restrict endptr, int base);

Much of the reason for this is historic, and a discussion of that
follows below, after the explanation of this change.  (GRUB currently
does not include the "restrict" qualifiers, and we name the arguments a
bit differently.)

The implementation is semantically required to treat the character array
as immutable, but such accidental modifications aren't stopped by the
compiler, and the semantics for both the callers and the implementation
of these functions are sometimes also helped by adding that requirement.

This patch changes these declarations to follow this pattern instead:

long
strtol(const char * restrict nptr,
       const char ** const restrict endptr,
       int base);

This means that if any modification to these functions accidentally
introduces either an errant modification to the underlying character
array, or an accidental assignment to endptr rather than *endptr, the
compiler should generate an error.  (The two uses of "restrict" in this
case basically mean strtol() isn't allowed to modify the character array
by going through *endptr, and endptr isn't allowed to point inside the
array.)

It also means the typical use case changes to:

  char *s = ...;
  const char *end;
  long l;

  l = strtol(s, &end, 10);

Or even:

  const char *p = str;
  while (p && *p) {
	  long l = strtol(p, &p, 10);
	  ...
  }

This fixes 26 places where we discard our attempts at treating the data
safely by doing:

  const char *p = str;
  long l;

  l = strtol(p, (char **)&ptr, 10);

It also adds 5 places where we do:

  char *p = str;
  while (p && *p) {
	  long l = strtol(p, (const char ** const)&p, 10);
	  ...
	  /* more calls that need p not to be pointer-to-const */
  }

While moderately distasteful, this is a better problem to have.

With one minor exception, I have tested that all of this compiles
without relevant warnings or errors, and that /much/ of it behaves
correctly, with gcc 9 using 'gcc -W -Wall -Wextra'.  The one exception
is the changes in grub-core/osdep/aros/hostdisk.c , which I have no idea
how to build.

Because the C standard defined type-qualifiers in a way that can be
confusing, in the past there's been a slow but fairly regular stream of
churn within our patches, which add and remove the const qualifier in many
of the users of these functions.  This change should help avoid that in
the future, and in order to help ensure this, I've added an explanation
in misc.h so that when someone does get a compiler warning about a type
error, they have the fix at hand.

The reason we don't have "const" in these calls in the standard is
purely anachronistic: C78 (de facto) did not have type qualifiers in the
syntax, and the "const" type qualifier was added for C89 (I think; it
may have been later).  strtol() appears to date from 4.3BSD in 1986,
which means it could not be added to those functions in the standard
without breaking compatibility, which is usually avoided.

The syntax chosen for type qualifiers is what has led to the churn
regarding usage of const, and is especially confusing on string
functions due to the lack of a string type.  Quoting from C99, the
syntax is:

 declarator:
  pointer[opt] direct-declarator
 direct-declarator:
  identifier
  ( declarator )
  direct-declarator [ type-qualifier-list[opt] assignment-expression[opt] ]
  ...
  direct-declarator [ type-qualifier-list[opt] * ]
  ...
 pointer:
  * type-qualifier-list[opt]
  * type-qualifier-list[opt] pointer
 type-qualifier-list:
  type-qualifier
  type-qualifier-list type-qualifier
 ...
 type-qualifier:
  const
  restrict
  volatile

So the examples go like:

const char foo;			// immutable object
const char *foo;		// mutable pointer to object
char * const foo;		// immutable pointer to mutable object
const char * const foo;		// immutable pointer to immutable object
const char const * const foo; 	// XXX extra const keyword in the middle
const char * const * const foo; // immutable pointer to immutable
				//   pointer to immutable object
const char ** const foo;	// immutable pointer to mutable pointer
				//   to immutable object

Making const left-associative for * and right-associative for everything
else may not have been the best choice ever, but here we are, and the
inevitable result is people using trying to use const (as they should!),
putting it at the wrong place, fighting with the compiler for a bit, and
then either removing it or typecasting something in a bad way.  I won't
go into describing restrict, but its syntax has exactly the same issue
as with const.

Anyway, the last example above actually represents the *behavior* that's
required of strtol()-like functions, so that's our choice for the "end"
pointer.

Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2020-02-28 12:41:29 +01:00
Vladimir Serbinenko
ca0a4f689a verifiers: File type for fine-grained signature-verification controlling
Let's provide file type info to the I/O layer. This way verifiers
framework and its users will be able to differentiate files and verify
only required ones.

This is preparatory patch.

Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
2018-11-09 13:25:31 +01:00
Andrei Borzenkov
a4b1326f0d gfxmenu: fix memory leak
Found by: Coverity scan.
CID: 96657
2016-01-12 21:52:50 +03:00
Andrei Borzenkov
fa2af21ec8 gfxmenu: fix memory leak
Found by: Coverity scan.
CID: 73766
2016-01-09 13:55:28 +03:00
Konstantin Vlasov
5646e03dba gfxterm: fix calculation of terminal-top and terminal-height
They used screen width, not height.
2015-11-13 21:54:19 +03:00
Vladimir Serbinenko
f59b83fce6 gfxmenu/model: Delete empty file. 2015-10-09 23:30:53 +02:00
Vladimir Serbinenko
af0be976bf gfxmenu/theme_loader: Add missing allos error check.
Found by: Coverity scan.
2015-01-26 09:37:39 +01:00
Vladimir Serbinenko
bd74a925e5 gfxmenu/icon_manager: Fix null pointer dereference.
Found by: Coverity scan.
2015-01-26 09:37:01 +01:00
Vladimir Serbinenko
6866f2ba37 Remove potential division by 0 in gfxmenu. 2015-01-21 17:42:15 +01:00
Vladimir Serbinenko
ae558c2ccf Enable -Wformat=2 if it's supported. 2013-12-21 15:28:28 +01:00
Vladimir Serbinenko
5620eb5332 * grub-core/gfxmenu/gui_circular_progress.c (parse_angle):
Use to get rounded angle rather than truncated.
2013-11-08 19:13:15 +01:00
Vladimir Serbinenko
d06de6c871 * grub-core/gfxmenu/gui_list.c (draw_scrollbar): Avoid
division by-zero and senseless negative divisions.
2013-11-08 15:44:39 +01:00
Vladimir Serbinenko
6af7d49b92 * grub-core/gfxmenu/gui_circular_progress.c (circprog_paint): Avoid
division by-zero and senseless negative divisions.
	(circprog_set_property): Don't accept negative num_ticks.
2013-11-08 15:43:07 +01:00
Vladimir Serbinenko
bcfa6d72e3 * grub-core/gfxmenu/gui_progress_bar.c (draw_pixmap_bar): Avoid
division by-zero and senseless negative divisions.
2013-11-08 15:38:58 +01:00
Vladimir Testov
4db2250000 * grub-core/gfxmenu/gui_box.c: Updated to work with area status.
* grub-core/gfxmenu/gui_canvas.c: Likewise.
        * grub-core/gfxmenu/view.c: Likewise.
        * grub-core/video/fb/video_fb.c: Introduce new functions:
        grub_video_set_area_status, grub_video_get_area_status,
        grub_video_set_region, grub_video_get_region.
        * grub-core/video/bochs.c: Likewise.
        * grub-core/video/capture.c: Likewise.
        * grub-core/video/video.c: Likewise.
        * grub-core/video/cirrus.c: Likewise.
        * grub-core/video/efi_gop.c: Likewise.
        * grub-core/video/efi_uga.c: Likewise.
        * grub-core/video/emu/sdl.c: Likewise.
        * grub-core/video/radeon_fuloong2e.c: Likewise.
        * grub-core/video/sis315pro.c: Likewise.
        * grub-core/video/sm712.c: Likewise.
        * grub-core/video/i386/pc/vbe.c: Likewise.
        * grub-core/video/i386/pc/vga.c: Likewise.
        * grub-core/video/ieee1275.c: Likewise.
        * grub-core/video/i386/coreboot/cbfb.c: Likewise.
        * include/grub/video.h: Likewise.
        * include/grub/video_fb.h: Likewise.
        * include/grub/fbfill.h: Updated render_target structure.
        grub_video_rect_t viewport, region, area
        int area_offset_x, area_offset_y, area_enabled
        * include/grub/gui.h: New helper function
        grub_video_bounds_inside_region.
        * docs/grub-dev.texi: Added information about new functions.
2013-11-08 15:42:38 +04:00
Vladimir Serbinenko
e54b8f536b * include/grub/misc.h (grub_strcat): Removed. All users changed to
more appropriate functions.
2013-11-01 16:27:37 +01:00
Vladimir Testov
47e0a61f6f * grub-core/gfxmenu/gui_progress_bar.c: Sanity checks added. 2013-10-17 15:50:25 +04:00
Vladimir Testov
946fd07357 * grub-core/gfxmenu/gui_progress_bar.c: New option `highlight_overlay`
* docs/gurb.texi: Likewise.
2013-10-17 15:42:49 +04:00
Vladimir Testov
9c13c57623 * grub-core/gfxmenu/gui_progress_bar.c (draw_pixmap_bar): Fixed bug.
Pixmap highlighted section with east and west slices was displayed
        incorrectly due to negative width of the central slice.
2013-10-17 15:34:04 +04:00
Vladimir Testov
ac48d334ab * grub-core/gfxmenu/gui_list.c: Scrollbar sanity checks added. 2013-10-15 18:16:06 +04:00
Vladimir Testov
b2b71bff36 * grub-core/gfxmenu/gui_list.c: New option item_pixmap_style.
* docs/grub.texi: Likewise.
2013-10-15 18:12:39 +04:00
Vladimir Testov
145e2369a7 * grub-core/gfxmenu/gui_list.c: New option scrollbar_thumb_overlay.
* docs/grub.texi: Likewise.
2013-10-10 14:37:19 +04:00
Vladimir Testov
ad297ec734 * grub-core/gfxmenu/gui_list.c: New options for scrollbar padding:
scrollbar_left_pad, scrollbar_right_pad, scrollbar_top_pad,
       scrollbar_bottom_pad
       * docs/grub.texi: Likewise.
2013-10-09 16:55:16 +04:00
Vladimir Testov
6e9e5dc98b * grub-core/gfxmenu/gui_list.c (list_destroy): Fixed memory leak. 2013-10-09 10:44:11 +04:00
Vladimir Testov
53a5f5c2f0 * grub-core/gfxmenu/gui_list.c (draw_scrollbar): Fixed rare
occasional bug. If there are too many boot entries or too low
       scrollbar height then we need to use another formula to calculate
       the position and size of the scrollbar thumb.
2013-10-08 18:49:35 +04:00
Vladimir Testov
c582736463 * grub-core/gfxmenu/gui_list.c: New option scrollbar-slice.
* docs/grub.texi: Likewise.
2013-10-08 18:31:53 +04:00
Vladimir Testov
dd2ed8b092 * grub-core/gfxmenu/gui_list.c: Draw the scrollbar in a separate
viewport.
2013-10-08 16:27:56 +04:00
Vladimir Testov
7286c38450 * grub-core/gfxmenu.c (list_get_minimal_size): Corrected minimal
width calculations.
2013-10-08 15:35:00 +04:00
Vladimir 'phcoder' Serbinenko
498d503316 * grub-core/gfxmenu/theme_loader.c (theme_set_string): Fix memory leak
and don't mark error strings for translation.
2013-10-03 23:23:00 +02:00
Vladimir Testov
ebc1da55cd * grub-core/gfxmenu/theme_loader.c: New global options for the
theme background image handling. desktop-image-scale-method,
       desktop-image-h-align, desktop-image-v-align.
       * grub-core/gfxmenu/view.c: Likewise.
       * include/gfxmenu_view.h: Likewise.
       * include/bitmap_scale.h: Proportional scale functions introduced.
       * grub-core/video/bitmap_scale.c: Likewise. Verification checks are
       put in a separate functions. GRUB_ERR_BUG is set for grub_error in
       cases of unexpected input variables for scale functions.
       * docs/grub.texi: Updated documentation for new options.
2013-10-02 18:17:33 +04:00
Vladimir Testov
03dafa17df * grub-core/gfxmenu/gui_list.c: Baseline misplacement fixed. 2013-08-15 16:13:51 +04:00
Vladimir Testov
224a55bb07 * grub-core/gfxmenu/gui_list.c: The number of color mappings is
reduced. Inheritant options are processed during the theme loading.
2013-08-15 16:12:11 +04:00
Vladimir Testov
58ec39c6a7 * grub-core/gfxmenu/gui_list.c: Minimal width fixed. 2013-08-15 16:10:45 +04:00
Vladimir Testov
b47434612c * docs/grub.texi: Introduce terminal window position options:
terminal-left: terminal window's left position
        terminal-top: terminal window's top position
        terminal-width: terminal window's width
        terminal-height: terminal window's height
        * grub-core/gfxmenu/theme-loader.c: Likewise.
        * include/grub/gfxmenu_view.h: Likewise.
        * po/exlude.pot: Likewise.
        * grub-core/gfxmenu/view.c: Likewise.
        Also updated minimal window size.
        Also terminal_sanity_check function has been introduced.
2013-08-08 12:55:24 +04:00
Vladimir Testov
ba8bc620d1 * grub-core/gfxmenu/widget-box.c: Fixed draw function. Now it takes
maximum of NW, N, NE heights instead of N's height and maximum of
       NW, W, SW widths instead of W's width. (So the box will be always
       correctly drawn)
2013-07-25 18:15:15 +04:00
Vladimir Testov
d110499b22 * grub-core/gfxmenu/gui_list.c: USe viewport when drawing strings. 2013-07-14 23:10:27 +02:00
Vladimir Testov
a8674ad37b * grub-core/gfxmenu/gui_list.c: Fix height calculation. 2013-07-14 23:02:37 +02:00
Vladimir 'phcoder' Serbinenko
fc4c4fddf6 Detach optional parts of gfxterm and integrate in with coreboot init. 2013-05-31 00:42:33 +02:00
Vladimir 'phcoder' Serbinenko
85002bf34a Agglomerate more mallocs to speed-up gfxterm. 2013-05-04 22:23:23 +02:00
Vladimir 'phcoder' Serbinenko
03f7c8c304 Fix several memory leaks. 2013-05-04 13:47:10 +02:00
Vladimir 'phcoder' Serbinenko
7391c4d5ac * grub-core/gfxmenu/gfxmenu.c (grub_gfxmenu_try): Allow specifying
the theme path relative to $prefix/themes.
2013-05-03 14:08:51 +02:00
Vladimir 'phcoder' Serbinenko
a4f9a5ff92 * grub-core/gfxmenu/view.c (grub_gfxmenu_view_new): Clear
grub_gfxmenu_timeout_notifications.
	(grub_gfxmenu_view_destroy): Likewise.
2013-05-03 14:02:49 +02:00
Vladimir Testov
3476e0ef42 * grub-core/gfxmenu/circular_progress.c: Set start_angle in degrees
with syntax "XXX deg"/"XXX °".
2013-04-29 15:32:56 +02:00
Vladimir Testov
dc5a311a1e * grub-core/gfxmenu/gui_list.c: Refresh first_shown_entry value when
cached view is reused.
	* grub-core/gfxmenu/view.c: Call the refresh procedure for all
	open boot menus.
2013-04-29 13:40:11 +02:00
Vladimir Testov
07f392ebef * grub-core/gfxmenu/gui_progress_bar.c: Handle padding sizes. 2013-04-03 09:34:08 +02:00
Vladimir Testov
c3578acfbb * grub-core/gfxmenu/gui_circular_progress.c: Take both width and height
into account when calculating radius.
2013-04-03 09:20:29 +02:00
Vladimir Testov
9efd73ec66 * grub-core/gfxmenu/view.c: Fix off-by-one error. 2013-04-03 08:53:58 +02:00
Vladimir Testov
4985ddaa7a * grub-core/gfxmenu/gui_circular_progress.c: Fix off-by-one error. 2013-04-03 08:51:13 +02:00