malloc: Use overflow checking primitives where we do complex allocations
This attempts to fix the places where we do the following where
arithmetic_expr may include unvalidated data:
  X = grub_malloc(arithmetic_expr);
It accomplishes this by doing the arithmetic ahead of time using grub_add(),
grub_sub(), grub_mul() and testing for overflow before proceeding.
Among other issues, this fixes:
  - allocation of integer overflow in grub_video_bitmap_create()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_png_decode_image_header()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_squash_read_symlink()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_ext2_read_symlink()
    reported by Chris Coulson,
  - allocation of integer overflow in read_section_as_string()
    reported by Chris Coulson.
Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
			
			
This commit is contained in:
		
							parent
							
								
									f725fa7cb2
								
							
						
					
					
						commit
						3f05d693d1
					
				
					 23 changed files with 382 additions and 113 deletions
				
			
		|  | @ -32,6 +32,7 @@ | |||
| #include <grub/auth.h> | ||||
| #include <grub/disk.h> | ||||
| #include <grub/partition.h> | ||||
| #include <grub/safemath.h> | ||||
| 
 | ||||
| GRUB_MOD_LICENSE ("GPLv3+"); | ||||
| 
 | ||||
|  | @ -104,13 +105,22 @@ legacy_file (const char *filename) | |||
| 	if (newsuffix) | ||||
| 	  { | ||||
| 	    char *t; | ||||
| 	     | ||||
| 	    grub_size_t sz; | ||||
| 
 | ||||
| 	    if (grub_add (grub_strlen (suffix), grub_strlen (newsuffix), &sz) || | ||||
| 		grub_add (sz, 1, &sz)) | ||||
| 	      { | ||||
| 		grub_errno = GRUB_ERR_OUT_OF_RANGE; | ||||
| 		goto fail_0; | ||||
| 	      } | ||||
| 
 | ||||
| 	    t = suffix; | ||||
| 	    suffix = grub_realloc (suffix, grub_strlen (suffix) | ||||
| 				   + grub_strlen (newsuffix) + 1); | ||||
| 	    suffix = grub_realloc (suffix, sz); | ||||
| 	    if (!suffix) | ||||
| 	      { | ||||
| 		grub_free (t); | ||||
| 
 | ||||
|  fail_0: | ||||
| 		grub_free (entrysrc); | ||||
| 		grub_free (parsed); | ||||
| 		grub_free (newsuffix); | ||||
|  | @ -154,13 +164,22 @@ legacy_file (const char *filename) | |||
| 	  else | ||||
| 	    { | ||||
| 	      char *t; | ||||
| 	      grub_size_t sz; | ||||
| 
 | ||||
| 	      if (grub_add (grub_strlen (entrysrc), grub_strlen (parsed), &sz) || | ||||
| 		  grub_add (sz, 1, &sz)) | ||||
| 		{ | ||||
| 		  grub_errno = GRUB_ERR_OUT_OF_RANGE; | ||||
| 		  goto fail_1; | ||||
| 		} | ||||
| 
 | ||||
| 	      t = entrysrc; | ||||
| 	      entrysrc = grub_realloc (entrysrc, grub_strlen (entrysrc) | ||||
| 				       + grub_strlen (parsed) + 1); | ||||
| 	      entrysrc = grub_realloc (entrysrc, sz); | ||||
| 	      if (!entrysrc) | ||||
| 		{ | ||||
| 		  grub_free (t); | ||||
| 
 | ||||
|  fail_1: | ||||
| 		  grub_free (parsed); | ||||
| 		  grub_free (suffix); | ||||
| 		  return grub_errno; | ||||
|  |  | |||
|  | @ -23,6 +23,7 @@ | |||
| #include <grub/file.h> | ||||
| #include <grub/device.h> | ||||
| #include <grub/script_sh.h> | ||||
| #include <grub/safemath.h> | ||||
| 
 | ||||
| #include <regex.h> | ||||
| 
 | ||||
|  | @ -48,6 +49,7 @@ merge (char **dest, char **ps) | |||
|   int i; | ||||
|   int j; | ||||
|   char **p; | ||||
|   grub_size_t sz; | ||||
| 
 | ||||
|   if (! dest) | ||||
|     return ps; | ||||
|  | @ -60,7 +62,12 @@ merge (char **dest, char **ps) | |||
|   for (j = 0; ps[j]; j++) | ||||
|     ; | ||||
| 
 | ||||
|   p = grub_realloc (dest, sizeof (char*) * (i + j + 1)); | ||||
|   if (grub_add (i, j, &sz) || | ||||
|       grub_add (sz, 1, &sz) || | ||||
|       grub_mul (sz, sizeof (char *), &sz)) | ||||
|     return dest; | ||||
| 
 | ||||
|   p = grub_realloc (dest, sz); | ||||
|   if (! p) | ||||
|     { | ||||
|       grub_free (dest); | ||||
|  | @ -115,8 +122,15 @@ make_regex (const char *start, const char *end, regex_t *regexp) | |||
|   char ch; | ||||
|   int i = 0; | ||||
|   unsigned len = end - start; | ||||
|   char *buffer = grub_malloc (len * 2 + 2 + 1); /* worst case size. */ | ||||
|   char *buffer; | ||||
|   grub_size_t sz; | ||||
| 
 | ||||
|   /* Worst case size is (len * 2 + 2 + 1). */ | ||||
|   if (grub_mul (len, 2, &sz) || | ||||
|       grub_add (sz, 3, &sz)) | ||||
|     return 1; | ||||
| 
 | ||||
|   buffer = grub_malloc (sz); | ||||
|   if (! buffer) | ||||
|     return 1; | ||||
| 
 | ||||
|  | @ -226,6 +240,7 @@ match_devices_iter (const char *name, void *data) | |||
|   struct match_devices_ctx *ctx = data; | ||||
|   char **t; | ||||
|   char *buffer; | ||||
|   grub_size_t sz; | ||||
| 
 | ||||
|   /* skip partitions if asked to. */ | ||||
|   if (ctx->noparts && grub_strchr (name, ',')) | ||||
|  | @ -239,11 +254,16 @@ match_devices_iter (const char *name, void *data) | |||
|   if (regexec (ctx->regexp, buffer, 0, 0, 0)) | ||||
|     { | ||||
|       grub_dprintf ("expand", "not matched\n"); | ||||
|  fail: | ||||
|       grub_free (buffer); | ||||
|       return 0; | ||||
|     } | ||||
| 
 | ||||
|   t = grub_realloc (ctx->devs, sizeof (char*) * (ctx->ndev + 2)); | ||||
|   if (grub_add (ctx->ndev, 2, &sz) || | ||||
|       grub_mul (sz, sizeof (char *), &sz)) | ||||
|     goto fail; | ||||
| 
 | ||||
|   t = grub_realloc (ctx->devs, sz); | ||||
|   if (! t) | ||||
|     { | ||||
|       grub_free (buffer); | ||||
|  | @ -300,6 +320,7 @@ match_files_iter (const char *name, | |||
|   struct match_files_ctx *ctx = data; | ||||
|   char **t; | ||||
|   char *buffer; | ||||
|   grub_size_t sz; | ||||
| 
 | ||||
|   /* skip . and .. names */ | ||||
|   if (grub_strcmp(".", name) == 0 || grub_strcmp("..", name) == 0) | ||||
|  | @ -315,9 +336,14 @@ match_files_iter (const char *name, | |||
|   if (! buffer) | ||||
|     return 1; | ||||
| 
 | ||||
|   t = grub_realloc (ctx->files, sizeof (char*) * (ctx->nfile + 2)); | ||||
|   if (! t) | ||||
|   if (grub_add (ctx->nfile, 2, &sz) || | ||||
|       grub_mul (sz, sizeof (char *), &sz)) | ||||
|     goto fail; | ||||
| 
 | ||||
|   t = grub_realloc (ctx->files, sz); | ||||
|   if (!t) | ||||
|     { | ||||
|  fail: | ||||
|       grub_free (buffer); | ||||
|       return 1; | ||||
|     } | ||||
|  |  | |||
|  | @ -25,6 +25,7 @@ | |||
| #include <grub/msdos_partition.h> | ||||
| #include <grub/gpt_partition.h> | ||||
| #include <grub/i18n.h> | ||||
| #include <grub/safemath.h> | ||||
| 
 | ||||
| #ifdef GRUB_UTIL | ||||
| #include <grub/emu/misc.h> | ||||
|  | @ -289,6 +290,7 @@ make_vg (grub_disk_t disk, | |||
|       struct grub_ldm_vblk vblk[GRUB_DISK_SECTOR_SIZE | ||||
| 				/ sizeof (struct grub_ldm_vblk)]; | ||||
|       unsigned i; | ||||
|       grub_size_t sz; | ||||
|       err = grub_disk_read (disk, cursec, 0, | ||||
| 			    sizeof(vblk), &vblk); | ||||
|       if (err) | ||||
|  | @ -350,7 +352,13 @@ make_vg (grub_disk_t disk, | |||
| 	      grub_free (lv); | ||||
| 	      goto fail2; | ||||
| 	    } | ||||
| 	  lv->name = grub_malloc (*ptr + 1); | ||||
| 	  if (grub_add (*ptr, 1, &sz)) | ||||
| 	    { | ||||
| 	      grub_free (lv->internal_id); | ||||
| 	      grub_free (lv); | ||||
| 	      goto fail2; | ||||
| 	    } | ||||
| 	  lv->name = grub_malloc (sz); | ||||
| 	  if (!lv->name) | ||||
| 	    { | ||||
| 	      grub_free (lv->internal_id); | ||||
|  | @ -599,10 +607,13 @@ make_vg (grub_disk_t disk, | |||
| 	  if (lv->segments->node_alloc == lv->segments->node_count) | ||||
| 	    { | ||||
| 	      void *t; | ||||
| 	      lv->segments->node_alloc *= 2;  | ||||
| 	      t = grub_realloc (lv->segments->nodes, | ||||
| 				sizeof (*lv->segments->nodes) | ||||
| 				* lv->segments->node_alloc); | ||||
| 	      grub_size_t sz; | ||||
| 
 | ||||
| 	      if (grub_mul (lv->segments->node_alloc, 2, &lv->segments->node_alloc) || | ||||
| 		  grub_mul (lv->segments->node_alloc, sizeof (*lv->segments->nodes), &sz)) | ||||
| 		goto fail2; | ||||
| 
 | ||||
| 	      t = grub_realloc (lv->segments->nodes, sz); | ||||
| 	      if (!t) | ||||
| 		goto fail2; | ||||
| 	      lv->segments->nodes = t; | ||||
|  | @ -723,10 +734,13 @@ make_vg (grub_disk_t disk, | |||
| 	      if (comp->segment_alloc == comp->segment_count) | ||||
| 		{ | ||||
| 		  void *t; | ||||
| 		  comp->segment_alloc *= 2; | ||||
| 		  t = grub_realloc (comp->segments, | ||||
| 				    comp->segment_alloc | ||||
| 				    * sizeof (*comp->segments)); | ||||
| 		  grub_size_t sz; | ||||
| 
 | ||||
| 		  if (grub_mul (comp->segment_alloc, 2, &comp->segment_alloc) || | ||||
| 		      grub_mul (comp->segment_alloc, sizeof (*comp->segments), &sz)) | ||||
| 		    goto fail2; | ||||
| 
 | ||||
| 		  t = grub_realloc (comp->segments, sz); | ||||
| 		  if (!t) | ||||
| 		    goto fail2; | ||||
| 		  comp->segments = t; | ||||
|  |  | |||
|  | @ -30,6 +30,7 @@ | |||
| #include <grub/unicode.h> | ||||
| #include <grub/fontformat.h> | ||||
| #include <grub/env.h> | ||||
| #include <grub/safemath.h> | ||||
| 
 | ||||
| GRUB_MOD_LICENSE ("GPLv3+"); | ||||
| 
 | ||||
|  | @ -360,9 +361,13 @@ static char * | |||
| read_section_as_string (struct font_file_section *section) | ||||
| { | ||||
|   char *str; | ||||
|   grub_size_t sz; | ||||
|   grub_ssize_t ret; | ||||
| 
 | ||||
|   str = grub_malloc (section->length + 1); | ||||
|   if (grub_add (section->length, 1, &sz)) | ||||
|     return NULL; | ||||
| 
 | ||||
|   str = grub_malloc (sz); | ||||
|   if (!str) | ||||
|     return 0; | ||||
| 
 | ||||
|  |  | |||
|  | @ -40,6 +40,7 @@ | |||
| #include <grub/btrfs.h> | ||||
| #include <grub/crypto.h> | ||||
| #include <grub/diskfilter.h> | ||||
| #include <grub/safemath.h> | ||||
| 
 | ||||
| GRUB_MOD_LICENSE ("GPLv3+"); | ||||
| 
 | ||||
|  | @ -331,9 +332,13 @@ save_ref (struct grub_btrfs_leaf_descriptor *desc, | |||
|   if (desc->allocated < desc->depth) | ||||
|     { | ||||
|       void *newdata; | ||||
|       desc->allocated *= 2; | ||||
|       newdata = grub_realloc (desc->data, sizeof (desc->data[0]) | ||||
| 			      * desc->allocated); | ||||
|       grub_size_t sz; | ||||
| 
 | ||||
|       if (grub_mul (desc->allocated, 2, &desc->allocated) || | ||||
| 	  grub_mul (desc->allocated, sizeof (desc->data[0]), &sz)) | ||||
| 	return GRUB_ERR_OUT_OF_RANGE; | ||||
| 
 | ||||
|       newdata = grub_realloc (desc->data, sz); | ||||
|       if (!newdata) | ||||
| 	return grub_errno; | ||||
|       desc->data = newdata; | ||||
|  | @ -624,16 +629,21 @@ find_device (struct grub_btrfs_data *data, grub_uint64_t id) | |||
|   if (data->n_devices_attached > data->n_devices_allocated) | ||||
|     { | ||||
|       void *tmp; | ||||
|       data->n_devices_allocated = 2 * data->n_devices_attached + 1; | ||||
|       data->devices_attached | ||||
| 	= grub_realloc (tmp = data->devices_attached, | ||||
| 			data->n_devices_allocated | ||||
| 			* sizeof (data->devices_attached[0])); | ||||
|       grub_size_t sz; | ||||
| 
 | ||||
|       if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) || | ||||
| 	  grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) || | ||||
| 	  grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz)) | ||||
| 	goto fail; | ||||
| 
 | ||||
|       data->devices_attached = grub_realloc (tmp = data->devices_attached, sz); | ||||
|       if (!data->devices_attached) | ||||
| 	{ | ||||
| 	  data->devices_attached = tmp; | ||||
| 
 | ||||
|  fail: | ||||
| 	  if (ctx.dev_found) | ||||
| 	    grub_device_close (ctx.dev_found); | ||||
| 	  data->devices_attached = tmp; | ||||
| 	  return NULL; | ||||
| 	} | ||||
|     } | ||||
|  |  | |||
|  | @ -46,6 +46,7 @@ | |||
| #include <grub/dl.h> | ||||
| #include <grub/types.h> | ||||
| #include <grub/fshelp.h> | ||||
| #include <grub/safemath.h> | ||||
| 
 | ||||
| GRUB_MOD_LICENSE ("GPLv3+"); | ||||
| 
 | ||||
|  | @ -703,6 +704,7 @@ grub_ext2_read_symlink (grub_fshelp_node_t node) | |||
| { | ||||
|   char *symlink; | ||||
|   struct grub_fshelp_node *diro = node; | ||||
|   grub_size_t sz; | ||||
| 
 | ||||
|   if (! diro->inode_read) | ||||
|     { | ||||
|  | @ -717,7 +719,13 @@ grub_ext2_read_symlink (grub_fshelp_node_t node) | |||
|        } | ||||
|     } | ||||
| 
 | ||||
|   symlink = grub_malloc (grub_le_to_cpu32 (diro->inode.size) + 1); | ||||
|   if (grub_add (grub_le_to_cpu32 (diro->inode.size), 1, &sz)) | ||||
|     { | ||||
|       grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); | ||||
|       return NULL; | ||||
|     } | ||||
| 
 | ||||
|   symlink = grub_malloc (sz); | ||||
|   if (! symlink) | ||||
|     return 0; | ||||
| 
 | ||||
|  |  | |||
|  | @ -28,6 +28,7 @@ | |||
| #include <grub/fshelp.h> | ||||
| #include <grub/charset.h> | ||||
| #include <grub/datetime.h> | ||||
| #include <grub/safemath.h> | ||||
| 
 | ||||
| GRUB_MOD_LICENSE ("GPLv3+"); | ||||
| 
 | ||||
|  | @ -531,8 +532,13 @@ add_part (struct iterate_dir_ctx *ctx, | |||
| 	  int len2) | ||||
| { | ||||
|   int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0; | ||||
|   grub_size_t sz; | ||||
| 
 | ||||
|   ctx->symlink = grub_realloc (ctx->symlink, size + len2 + 1); | ||||
|   if (grub_add (size, len2, &sz) || | ||||
|       grub_add (sz, 1, &sz)) | ||||
|     return; | ||||
| 
 | ||||
|   ctx->symlink = grub_realloc (ctx->symlink, sz); | ||||
|   if (! ctx->symlink) | ||||
|     return; | ||||
| 
 | ||||
|  | @ -560,17 +566,24 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry, | |||
| 	{ | ||||
| 	  grub_size_t off = 0, csize = 1; | ||||
| 	  char *old; | ||||
| 	  grub_size_t sz; | ||||
| 
 | ||||
| 	  csize = entry->len - 5; | ||||
| 	  old = ctx->filename; | ||||
| 	  if (ctx->filename_alloc) | ||||
| 	    { | ||||
| 	      off = grub_strlen (ctx->filename); | ||||
| 	      ctx->filename = grub_realloc (ctx->filename, csize + off + 1); | ||||
| 	      if (grub_add (csize, off, &sz) || | ||||
| 		  grub_add (sz, 1, &sz)) | ||||
| 		return GRUB_ERR_OUT_OF_RANGE; | ||||
| 	      ctx->filename = grub_realloc (ctx->filename, sz); | ||||
| 	    } | ||||
| 	  else | ||||
| 	    { | ||||
| 	      off = 0; | ||||
| 	      ctx->filename = grub_zalloc (csize + 1); | ||||
| 	      if (grub_add (csize, 1, &sz)) | ||||
| 		return GRUB_ERR_OUT_OF_RANGE; | ||||
| 	      ctx->filename = grub_zalloc (sz); | ||||
| 	    } | ||||
| 	  if (!ctx->filename) | ||||
| 	    { | ||||
|  | @ -776,14 +789,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir, | |||
| 	    if (node->have_dirents >= node->alloc_dirents) | ||||
| 	      { | ||||
| 		struct grub_fshelp_node *new_node; | ||||
| 		node->alloc_dirents *= 2; | ||||
| 		new_node = grub_realloc (node,  | ||||
| 					 sizeof (struct grub_fshelp_node) | ||||
| 					 + ((node->alloc_dirents | ||||
| 					     - ARRAY_SIZE (node->dirents)) | ||||
| 					    * sizeof (node->dirents[0]))); | ||||
| 		grub_size_t sz; | ||||
| 
 | ||||
| 		if (grub_mul (node->alloc_dirents, 2, &node->alloc_dirents) || | ||||
| 		    grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) || | ||||
| 		    grub_mul (sz, sizeof (node->dirents[0]), &sz) || | ||||
| 		    grub_add (sz, sizeof (struct grub_fshelp_node), &sz)) | ||||
| 		  goto fail_0; | ||||
| 
 | ||||
| 		new_node = grub_realloc (node, sz); | ||||
| 		if (!new_node) | ||||
| 		  { | ||||
|  fail_0: | ||||
| 		    if (ctx.filename_alloc) | ||||
| 		      grub_free (ctx.filename); | ||||
| 		    grub_free (node); | ||||
|  | @ -799,14 +816,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir, | |||
| 		* sizeof (node->dirents[0]) < grub_strlen (ctx.symlink) + 1) | ||||
| 	      { | ||||
| 		struct grub_fshelp_node *new_node; | ||||
| 		new_node = grub_realloc (node, | ||||
| 					 sizeof (struct grub_fshelp_node) | ||||
| 					 + ((node->alloc_dirents | ||||
| 					     - ARRAY_SIZE (node->dirents)) | ||||
| 					    * sizeof (node->dirents[0])) | ||||
| 					 + grub_strlen (ctx.symlink) + 1); | ||||
| 		grub_size_t sz; | ||||
| 
 | ||||
| 		if (grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) || | ||||
| 		    grub_mul (sz, sizeof (node->dirents[0]), &sz) || | ||||
| 		    grub_add (sz, sizeof (struct grub_fshelp_node) + 1, &sz) || | ||||
| 		    grub_add (sz, grub_strlen (ctx.symlink), &sz)) | ||||
| 		  goto fail_1; | ||||
| 
 | ||||
| 		new_node = grub_realloc (node, sz); | ||||
| 		if (!new_node) | ||||
| 		  { | ||||
|  fail_1: | ||||
| 		    if (ctx.filename_alloc) | ||||
| 		      grub_free (ctx.filename); | ||||
| 		    grub_free (node); | ||||
|  |  | |||
|  | @ -26,6 +26,7 @@ | |||
| #include <grub/types.h> | ||||
| #include <grub/fshelp.h> | ||||
| #include <grub/charset.h> | ||||
| #include <grub/safemath.h> | ||||
| 
 | ||||
| GRUB_MOD_LICENSE ("GPLv3+"); | ||||
| 
 | ||||
|  | @ -307,10 +308,15 @@ grub_sfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock) | |||
|       if (node->cache && node->cache_size >= node->cache_allocated) | ||||
| 	{ | ||||
| 	  struct cache_entry *e = node->cache; | ||||
| 	  e = grub_realloc (node->cache,node->cache_allocated * 2 | ||||
| 			    * sizeof (e[0])); | ||||
| 	  grub_size_t sz; | ||||
| 
 | ||||
| 	  if (grub_mul (node->cache_allocated, 2 * sizeof (e[0]), &sz)) | ||||
| 	    goto fail; | ||||
| 
 | ||||
| 	  e = grub_realloc (node->cache, sz); | ||||
| 	  if (!e) | ||||
| 	    { | ||||
|  fail: | ||||
| 	      grub_errno = 0; | ||||
| 	      grub_free (node->cache); | ||||
| 	      node->cache = 0; | ||||
|  | @ -477,10 +483,16 @@ grub_sfs_create_node (struct grub_fshelp_node **node, | |||
|   grub_size_t len = grub_strlen (name); | ||||
|   grub_uint8_t *name_u8; | ||||
|   int ret; | ||||
|   grub_size_t sz; | ||||
| 
 | ||||
|   if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) || | ||||
|       grub_add (sz, 1, &sz)) | ||||
|     return 1; | ||||
| 
 | ||||
|   *node = grub_malloc (sizeof (**node)); | ||||
|   if (!*node) | ||||
|     return 1; | ||||
|   name_u8 = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1); | ||||
|   name_u8 = grub_malloc (sz); | ||||
|   if (!name_u8) | ||||
|     { | ||||
|       grub_free (*node); | ||||
|  | @ -724,8 +736,13 @@ grub_sfs_label (grub_device_t device, char **label) | |||
|   data = grub_sfs_mount (disk); | ||||
|   if (data) | ||||
|     { | ||||
|       grub_size_t len = grub_strlen (data->label); | ||||
|       *label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1); | ||||
|       grub_size_t sz, len = grub_strlen (data->label); | ||||
| 
 | ||||
|       if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) || | ||||
| 	  grub_add (sz, 1, &sz)) | ||||
| 	return GRUB_ERR_OUT_OF_RANGE; | ||||
| 
 | ||||
|       *label = grub_malloc (sz); | ||||
|       if (*label) | ||||
| 	*grub_latin1_to_utf8 ((grub_uint8_t *) *label, | ||||
| 			      (const grub_uint8_t *) data->label, | ||||
|  |  | |||
|  | @ -26,6 +26,7 @@ | |||
| #include <grub/types.h> | ||||
| #include <grub/fshelp.h> | ||||
| #include <grub/deflate.h> | ||||
| #include <grub/safemath.h> | ||||
| #include <minilzo.h> | ||||
| 
 | ||||
| #include "xz.h" | ||||
|  | @ -459,7 +460,17 @@ grub_squash_read_symlink (grub_fshelp_node_t node) | |||
| { | ||||
|   char *ret; | ||||
|   grub_err_t err; | ||||
|   ret = grub_malloc (grub_le_to_cpu32 (node->ino.symlink.namelen) + 1); | ||||
|   grub_size_t sz; | ||||
| 
 | ||||
|   if (grub_add (grub_le_to_cpu32 (node->ino.symlink.namelen), 1, &sz)) | ||||
|     { | ||||
|       grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); | ||||
|       return NULL; | ||||
|     } | ||||
| 
 | ||||
|   ret = grub_malloc (sz); | ||||
|   if (!ret) | ||||
|     return NULL; | ||||
| 
 | ||||
|   err = read_chunk (node->data, ret, | ||||
| 		    grub_le_to_cpu32 (node->ino.symlink.namelen), | ||||
|  | @ -506,11 +517,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir, | |||
| 
 | ||||
|   { | ||||
|     grub_fshelp_node_t node; | ||||
|     node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0])); | ||||
|     grub_size_t sz; | ||||
| 
 | ||||
|     if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) || | ||||
| 	grub_add (sz, sizeof (*node), &sz)) | ||||
|       return 0; | ||||
| 
 | ||||
|     node = grub_malloc (sz); | ||||
|     if (!node) | ||||
|       return 0; | ||||
|     grub_memcpy (node, dir, | ||||
| 		 sizeof (*node) + dir->stsize * sizeof (dir->stack[0])); | ||||
|     grub_memcpy (node, dir, sz); | ||||
|     if (hook (".", GRUB_FSHELP_DIR, node, hook_data)) | ||||
|       return 1; | ||||
| 
 | ||||
|  | @ -518,12 +534,15 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir, | |||
|       { | ||||
| 	grub_err_t err; | ||||
| 
 | ||||
| 	node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0])); | ||||
| 	if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) || | ||||
| 	    grub_add (sz, sizeof (*node), &sz)) | ||||
| 	  return 0; | ||||
| 
 | ||||
| 	node = grub_malloc (sz); | ||||
| 	if (!node) | ||||
| 	  return 0; | ||||
| 
 | ||||
| 	grub_memcpy (node, dir, | ||||
| 		     sizeof (*node) + dir->stsize * sizeof (dir->stack[0])); | ||||
| 	grub_memcpy (node, dir, sz); | ||||
| 
 | ||||
| 	node->stsize--; | ||||
| 	err = read_chunk (dir->data, &node->ino, sizeof (node->ino), | ||||
|  | @ -557,6 +576,7 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir, | |||
| 	  enum grub_fshelp_filetype filetype = GRUB_FSHELP_REG; | ||||
| 	  struct grub_squash_dirent di; | ||||
| 	  struct grub_squash_inode ino; | ||||
| 	  grub_size_t sz; | ||||
| 
 | ||||
| 	  err = read_chunk (dir->data, &di, sizeof (di), | ||||
| 			    grub_le_to_cpu64 (dir->data->sb.diroffset) | ||||
|  | @ -589,13 +609,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir, | |||
| 	  if (grub_le_to_cpu16 (di.type) == SQUASH_TYPE_SYMLINK) | ||||
| 	    filetype = GRUB_FSHELP_SYMLINK; | ||||
| 
 | ||||
| 	  node = grub_malloc (sizeof (*node) | ||||
| 			      + (dir->stsize + 1) * sizeof (dir->stack[0])); | ||||
| 	  if (grub_add (dir->stsize, 1, &sz) || | ||||
| 	      grub_mul (sz, sizeof (dir->stack[0]), &sz) || | ||||
| 	      grub_add (sz, sizeof (*node), &sz)) | ||||
| 	    return 0; | ||||
| 
 | ||||
| 	  node = grub_malloc (sz); | ||||
| 	  if (! node) | ||||
| 	    return 0; | ||||
| 
 | ||||
| 	  grub_memcpy (node, dir, | ||||
| 		       sizeof (*node) + dir->stsize * sizeof (dir->stack[0])); | ||||
| 	  grub_memcpy (node, dir, sz - sizeof(dir->stack[0])); | ||||
| 
 | ||||
| 	  node->ino = ino; | ||||
| 	  node->stack[node->stsize].ino_chunk = grub_le_to_cpu32 (dh.ino_chunk); | ||||
|  |  | |||
|  | @ -28,6 +28,7 @@ | |||
| #include <grub/charset.h> | ||||
| #include <grub/datetime.h> | ||||
| #include <grub/udf.h> | ||||
| #include <grub/safemath.h> | ||||
| 
 | ||||
| GRUB_MOD_LICENSE ("GPLv3+"); | ||||
| 
 | ||||
|  | @ -890,9 +891,19 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf) | |||
| 	utf16[i] = (raw[2 * i + 1] << 8) | raw[2*i + 2]; | ||||
|     } | ||||
|   if (!outbuf) | ||||
|     outbuf = grub_malloc (utf16len * GRUB_MAX_UTF8_PER_UTF16 + 1); | ||||
|     { | ||||
|       grub_size_t size; | ||||
| 
 | ||||
|       if (grub_mul (utf16len, GRUB_MAX_UTF8_PER_UTF16, &size) || | ||||
| 	  grub_add (size, 1, &size)) | ||||
| 	goto fail; | ||||
| 
 | ||||
|       outbuf = grub_malloc (size); | ||||
|     } | ||||
|   if (outbuf) | ||||
|     *grub_utf16_to_utf8 ((grub_uint8_t *) outbuf, utf16, utf16len) = '\0'; | ||||
| 
 | ||||
|  fail: | ||||
|   grub_free (utf16); | ||||
|   return outbuf; | ||||
| } | ||||
|  | @ -1005,7 +1016,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node) | |||
|   grub_size_t sz = U64 (node->block.fe.file_size); | ||||
|   grub_uint8_t *raw; | ||||
|   const grub_uint8_t *ptr; | ||||
|   char *out, *optr; | ||||
|   char *out = NULL, *optr; | ||||
| 
 | ||||
|   if (sz < 4) | ||||
|     return NULL; | ||||
|  | @ -1013,14 +1024,16 @@ grub_udf_read_symlink (grub_fshelp_node_t node) | |||
|   if (!raw) | ||||
|     return NULL; | ||||
|   if (grub_udf_read_file (node, NULL, NULL, 0, sz, (char *) raw) < 0) | ||||
|     { | ||||
|       grub_free (raw); | ||||
|       return NULL; | ||||
|     } | ||||
|     goto fail_1; | ||||
| 
 | ||||
|   out = grub_malloc (sz * 2 + 1); | ||||
|   if (grub_mul (sz, 2, &sz) || | ||||
|       grub_add (sz, 1, &sz)) | ||||
|     goto fail_0; | ||||
| 
 | ||||
|   out = grub_malloc (sz); | ||||
|   if (!out) | ||||
|     { | ||||
|  fail_0: | ||||
|       grub_free (raw); | ||||
|       return NULL; | ||||
|     } | ||||
|  | @ -1031,17 +1044,17 @@ grub_udf_read_symlink (grub_fshelp_node_t node) | |||
|     { | ||||
|       grub_size_t s; | ||||
|       if ((grub_size_t) (ptr - raw + 4) > sz) | ||||
| 	goto fail; | ||||
| 	goto fail_1; | ||||
|       if (!(ptr[2] == 0 && ptr[3] == 0)) | ||||
| 	goto fail; | ||||
| 	goto fail_1; | ||||
|       s = 4 + ptr[1]; | ||||
|       if ((grub_size_t) (ptr - raw + s) > sz) | ||||
| 	goto fail; | ||||
| 	goto fail_1; | ||||
|       switch (*ptr) | ||||
| 	{ | ||||
| 	case 1: | ||||
| 	  if (ptr[1]) | ||||
| 	    goto fail; | ||||
| 	    goto fail_1; | ||||
| 	  /* Fallthrough.  */ | ||||
| 	case 2: | ||||
| 	  /* in 4 bytes. out: 1 byte.  */ | ||||
|  | @ -1066,11 +1079,11 @@ grub_udf_read_symlink (grub_fshelp_node_t node) | |||
| 	  if (optr != out) | ||||
| 	    *optr++ = '/'; | ||||
| 	  if (!read_string (ptr + 4, s - 4, optr)) | ||||
| 	    goto fail; | ||||
| 	    goto fail_1; | ||||
| 	  optr += grub_strlen (optr); | ||||
| 	  break; | ||||
| 	default: | ||||
| 	  goto fail; | ||||
| 	  goto fail_1; | ||||
| 	} | ||||
|       ptr += s; | ||||
|     } | ||||
|  | @ -1078,7 +1091,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node) | |||
|   grub_free (raw); | ||||
|   return out; | ||||
| 
 | ||||
|  fail: | ||||
|  fail_1: | ||||
|   grub_free (raw); | ||||
|   grub_free (out); | ||||
|   grub_error (GRUB_ERR_BAD_FS, "invalid symlink"); | ||||
|  |  | |||
|  | @ -25,6 +25,7 @@ | |||
| #include <grub/dl.h> | ||||
| #include <grub/types.h> | ||||
| #include <grub/fshelp.h> | ||||
| #include <grub/safemath.h> | ||||
| 
 | ||||
| GRUB_MOD_LICENSE ("GPLv3+"); | ||||
| 
 | ||||
|  | @ -899,6 +900,7 @@ static struct grub_xfs_data * | |||
| grub_xfs_mount (grub_disk_t disk) | ||||
| { | ||||
|   struct grub_xfs_data *data = 0; | ||||
|   grub_size_t sz; | ||||
| 
 | ||||
|   data = grub_zalloc (sizeof (struct grub_xfs_data)); | ||||
|   if (!data) | ||||
|  | @ -913,10 +915,11 @@ grub_xfs_mount (grub_disk_t disk) | |||
|   if (!grub_xfs_sb_valid(data)) | ||||
|     goto fail; | ||||
| 
 | ||||
|   data = grub_realloc (data, | ||||
| 		       sizeof (struct grub_xfs_data) | ||||
| 		       - sizeof (struct grub_xfs_inode) | ||||
| 		       + grub_xfs_inode_size(data) + 1); | ||||
|   if (grub_add (grub_xfs_inode_size (data), | ||||
|       sizeof (struct grub_xfs_data) - sizeof (struct grub_xfs_inode) + 1, &sz)) | ||||
|     goto fail; | ||||
| 
 | ||||
|   data = grub_realloc (data, sz); | ||||
| 
 | ||||
|   if (! data) | ||||
|     goto fail; | ||||
|  |  | |||
|  | @ -55,6 +55,7 @@ | |||
| #include <grub/deflate.h> | ||||
| #include <grub/crypto.h> | ||||
| #include <grub/i18n.h> | ||||
| #include <grub/safemath.h> | ||||
| 
 | ||||
| GRUB_MOD_LICENSE ("GPLv3+"); | ||||
| 
 | ||||
|  | @ -776,11 +777,14 @@ fill_vdev_info (struct grub_zfs_data *data, | |||
|   if (data->n_devices_attached > data->n_devices_allocated) | ||||
|     { | ||||
|       void *tmp; | ||||
|       data->n_devices_allocated = 2 * data->n_devices_attached + 1; | ||||
|       data->devices_attached | ||||
| 	= grub_realloc (tmp = data->devices_attached, | ||||
| 			data->n_devices_allocated | ||||
| 			* sizeof (data->devices_attached[0])); | ||||
|       grub_size_t sz; | ||||
| 
 | ||||
|       if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) || | ||||
| 	  grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) || | ||||
| 	  grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz)) | ||||
| 	return GRUB_ERR_OUT_OF_RANGE; | ||||
| 
 | ||||
|       data->devices_attached = grub_realloc (tmp = data->devices_attached, sz); | ||||
|       if (!data->devices_attached) | ||||
| 	{ | ||||
| 	  data->devices_attached = tmp; | ||||
|  | @ -3471,14 +3475,18 @@ grub_zfs_nvlist_lookup_nvlist (const char *nvlist, const char *name) | |||
| { | ||||
|   char *nvpair; | ||||
|   char *ret; | ||||
|   grub_size_t size; | ||||
|   grub_size_t size, sz; | ||||
|   int found; | ||||
| 
 | ||||
|   found = nvlist_find_value (nvlist, name, DATA_TYPE_NVLIST, &nvpair, | ||||
| 			     &size, 0); | ||||
|   if (!found) | ||||
|     return 0; | ||||
|   ret = grub_zalloc (size + 3 * sizeof (grub_uint32_t)); | ||||
| 
 | ||||
|   if (grub_add (size, 3 * sizeof (grub_uint32_t), &sz)) | ||||
|       return 0; | ||||
| 
 | ||||
|   ret = grub_zalloc (sz); | ||||
|   if (!ret) | ||||
|     return 0; | ||||
|   grub_memcpy (ret, nvlist, sizeof (grub_uint32_t)); | ||||
|  |  | |||
|  | @ -22,6 +22,7 @@ | |||
| #include <grub/misc.h> | ||||
| #include <grub/disk.h> | ||||
| #include <grub/partition.h> | ||||
| #include <grub/safemath.h> | ||||
| #include <grub/dl.h> | ||||
| #include <grub/types.h> | ||||
| #include <grub/zfs/zfs.h> | ||||
|  | @ -82,9 +83,13 @@ grub_zfs_add_key (grub_uint8_t *key_in, | |||
| 		  int passphrase) | ||||
| { | ||||
|   struct grub_zfs_wrap_key *key; | ||||
|   grub_size_t sz; | ||||
| 
 | ||||
|   if (!passphrase && keylen > 32) | ||||
|     keylen = 32; | ||||
|   key = grub_malloc (sizeof (*key) + keylen); | ||||
|   if (grub_add (sizeof (*key), keylen, &sz)) | ||||
|     return GRUB_ERR_OUT_OF_RANGE; | ||||
|   key = grub_malloc (sz); | ||||
|   if (!key) | ||||
|     return grub_errno; | ||||
|   key->is_passphrase = passphrase; | ||||
|  |  | |||
|  | @ -23,6 +23,7 @@ | |||
| #include <grub/term.h> | ||||
| #include <grub/extcmd.h> | ||||
| #include <grub/i18n.h> | ||||
| #include <grub/safemath.h> | ||||
| 
 | ||||
| /* Built-in parser for default options.  */ | ||||
| static const struct grub_arg_option help_options[] = | ||||
|  | @ -216,7 +217,13 @@ static inline grub_err_t | |||
| add_arg (char ***argl, int *num, char *s) | ||||
| { | ||||
|   char **p = *argl; | ||||
|   *argl = grub_realloc (*argl, (++(*num) + 1) * sizeof (char *)); | ||||
|   grub_size_t sz; | ||||
| 
 | ||||
|   if (grub_add (++(*num), 1, &sz) || | ||||
|       grub_mul (sz, sizeof (char *), &sz)) | ||||
|     return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); | ||||
| 
 | ||||
|   *argl = grub_realloc (*argl, sz); | ||||
|   if (! *argl) | ||||
|     { | ||||
|       grub_free (p); | ||||
|  | @ -431,6 +438,7 @@ grub_arg_list_alloc(grub_extcmd_t extcmd, int argc, | |||
|   grub_size_t argcnt; | ||||
|   struct grub_arg_list *list; | ||||
|   const struct grub_arg_option *options; | ||||
|   grub_size_t sz0, sz1; | ||||
| 
 | ||||
|   options = extcmd->options; | ||||
|   if (! options) | ||||
|  | @ -443,7 +451,15 @@ grub_arg_list_alloc(grub_extcmd_t extcmd, int argc, | |||
| 	argcnt += ((grub_size_t) argc + 1) / 2 + 1; /* max possible for any option */ | ||||
|     } | ||||
| 
 | ||||
|   list = grub_zalloc (sizeof (*list) * i + sizeof (char*) * argcnt); | ||||
|   if (grub_mul (sizeof (*list), i, &sz0) || | ||||
|       grub_mul (sizeof (char *), argcnt, &sz1) || | ||||
|       grub_add (sz0, sz1, &sz0)) | ||||
|     { | ||||
|       grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); | ||||
|       return 0; | ||||
|     } | ||||
| 
 | ||||
|   list = grub_zalloc (sz0); | ||||
|   if (! list) | ||||
|     return 0; | ||||
| 
 | ||||
|  |  | |||
|  | @ -35,6 +35,7 @@ | |||
| #include <grub/ns8250.h> | ||||
| #include <grub/bsdlabel.h> | ||||
| #include <grub/crypto.h> | ||||
| #include <grub/safemath.h> | ||||
| #include <grub/verify.h> | ||||
| #ifdef GRUB_MACHINE_PCBIOS | ||||
| #include <grub/machine/int.h> | ||||
|  | @ -1012,11 +1013,16 @@ grub_netbsd_add_modules (void) | |||
|   struct grub_netbsd_btinfo_modules *mods; | ||||
|   unsigned i; | ||||
|   grub_err_t err; | ||||
|   grub_size_t sz; | ||||
| 
 | ||||
|   for (mod = netbsd_mods; mod; mod = mod->next) | ||||
|     modcnt++; | ||||
| 
 | ||||
|   mods = grub_malloc (sizeof (*mods) + sizeof (mods->mods[0]) * modcnt); | ||||
|   if (grub_mul (modcnt, sizeof (mods->mods[0]), &sz) || | ||||
|       grub_add (sz, sizeof (*mods), &sz)) | ||||
|     return GRUB_ERR_OUT_OF_RANGE; | ||||
| 
 | ||||
|   mods = grub_malloc (sz); | ||||
|   if (!mods) | ||||
|     return grub_errno; | ||||
| 
 | ||||
|  |  | |||
|  | @ -22,6 +22,7 @@ | |||
| #include <grub/i18n.h> | ||||
| #include <grub/err.h> | ||||
| #include <grub/time.h> | ||||
| #include <grub/safemath.h> | ||||
| 
 | ||||
| struct dns_cache_element | ||||
| { | ||||
|  | @ -51,9 +52,15 @@ grub_net_add_dns_server (const struct grub_net_network_level_address *s) | |||
|     { | ||||
|       int na = dns_servers_alloc * 2; | ||||
|       struct grub_net_network_level_address *ns; | ||||
|       grub_size_t sz; | ||||
| 
 | ||||
|       if (na < 8) | ||||
| 	na = 8; | ||||
|       ns = grub_realloc (dns_servers, na * sizeof (ns[0])); | ||||
| 
 | ||||
|       if (grub_mul (na, sizeof (ns[0]), &sz)) | ||||
| 	return GRUB_ERR_OUT_OF_RANGE; | ||||
| 
 | ||||
|       ns = grub_realloc (dns_servers, sz); | ||||
|       if (!ns) | ||||
| 	return grub_errno; | ||||
|       dns_servers_alloc = na; | ||||
|  |  | |||
|  | @ -48,6 +48,7 @@ | |||
| #include <grub/unicode.h> | ||||
| #include <grub/term.h> | ||||
| #include <grub/normal.h> | ||||
| #include <grub/safemath.h> | ||||
| 
 | ||||
| #if HAVE_FONT_SOURCE | ||||
| #include "widthspec.h" | ||||
|  | @ -464,6 +465,7 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen, | |||
| 	{ | ||||
| 	  struct grub_unicode_combining *n; | ||||
| 	  unsigned j; | ||||
| 	  grub_size_t sz; | ||||
| 
 | ||||
| 	  if (!haveout) | ||||
| 	    continue; | ||||
|  | @ -477,10 +479,14 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen, | |||
| 	    n = out->combining_inline; | ||||
| 	  else if (out->ncomb > (int) ARRAY_SIZE (out->combining_inline)) | ||||
| 	    { | ||||
| 	      n = grub_realloc (out->combining_ptr, | ||||
| 				sizeof (n[0]) * (out->ncomb + 1)); | ||||
| 	      if (grub_add (out->ncomb, 1, &sz) || | ||||
| 		  grub_mul (sz, sizeof (n[0]), &sz)) | ||||
| 		goto fail; | ||||
| 
 | ||||
| 	      n = grub_realloc (out->combining_ptr, sz); | ||||
| 	      if (!n) | ||||
| 		{ | ||||
|  fail: | ||||
| 		  grub_errno = GRUB_ERR_NONE; | ||||
| 		  continue; | ||||
| 		} | ||||
|  |  | |||
|  | @ -28,6 +28,7 @@ | |||
| #include <grub/env.h> | ||||
| #include <grub/i18n.h> | ||||
| #include <grub/charset.h> | ||||
| #include <grub/safemath.h> | ||||
| 
 | ||||
| static grub_uint32_t *kill_buf; | ||||
| 
 | ||||
|  | @ -307,12 +308,21 @@ cl_insert (struct cmdline_term *cl_terms, unsigned nterms, | |||
|   if (len + (*llen) >= (*max_len)) | ||||
|     { | ||||
|       grub_uint32_t *nbuf; | ||||
|       (*max_len) *= 2; | ||||
|       nbuf = grub_realloc ((*buf), sizeof (grub_uint32_t) * (*max_len)); | ||||
|       grub_size_t sz; | ||||
| 
 | ||||
|       if (grub_mul (*max_len, 2, max_len) || | ||||
| 	  grub_mul (*max_len, sizeof (grub_uint32_t), &sz)) | ||||
| 	{ | ||||
| 	  grub_errno = GRUB_ERR_OUT_OF_RANGE; | ||||
| 	  goto fail; | ||||
| 	} | ||||
| 
 | ||||
|       nbuf = grub_realloc ((*buf), sz); | ||||
|       if (nbuf) | ||||
| 	(*buf) = nbuf; | ||||
|       else | ||||
| 	{ | ||||
|  fail: | ||||
| 	  grub_print_error (); | ||||
| 	  grub_errno = GRUB_ERR_NONE; | ||||
| 	  (*max_len) /= 2; | ||||
|  |  | |||
|  | @ -27,6 +27,7 @@ | |||
| #include <grub/auth.h> | ||||
| #include <grub/i18n.h> | ||||
| #include <grub/charset.h> | ||||
| #include <grub/safemath.h> | ||||
| 
 | ||||
| enum update_mode | ||||
|   { | ||||
|  | @ -113,10 +114,18 @@ ensure_space (struct line *linep, int extra) | |||
| { | ||||
|   if (linep->max_len < linep->len + extra) | ||||
|     { | ||||
|       linep->max_len = 2 * (linep->len + extra); | ||||
|       linep->buf = grub_realloc (linep->buf, (linep->max_len + 1) * sizeof (linep->buf[0])); | ||||
|       grub_size_t sz0, sz1; | ||||
| 
 | ||||
|       if (grub_add (linep->len, extra, &sz0) || | ||||
| 	  grub_mul (sz0, 2, &sz0) || | ||||
| 	  grub_add (sz0, 1, &sz1) || | ||||
| 	  grub_mul (sz1, sizeof (linep->buf[0]), &sz1)) | ||||
| 	return 0; | ||||
| 
 | ||||
|       linep->buf = grub_realloc (linep->buf, sz1); | ||||
|       if (! linep->buf) | ||||
| 	return 0; | ||||
|       linep->max_len = sz0; | ||||
|     } | ||||
| 
 | ||||
|   return 1; | ||||
|  |  | |||
|  | @ -20,6 +20,7 @@ | |||
| #include <grub/mm.h> | ||||
| #include <grub/misc.h> | ||||
| #include <grub/script_sh.h> | ||||
| #include <grub/safemath.h> | ||||
| 
 | ||||
| /* Return nearest power of two that is >= v.  */ | ||||
| static unsigned | ||||
|  | @ -81,11 +82,16 @@ int | |||
| grub_script_argv_next (struct grub_script_argv *argv) | ||||
| { | ||||
|   char **p = argv->args; | ||||
|   grub_size_t sz; | ||||
| 
 | ||||
|   if (argv->args && argv->argc && argv->args[argv->argc - 1] == 0) | ||||
|     return 0; | ||||
| 
 | ||||
|   p = grub_realloc (p, round_up_exp ((argv->argc + 2) * sizeof (char *))); | ||||
|   if (grub_add (argv->argc, 2, &sz) || | ||||
|       grub_mul (sz, sizeof (char *), &sz)) | ||||
|     return 1; | ||||
| 
 | ||||
|   p = grub_realloc (p, round_up_exp (sz)); | ||||
|   if (! p) | ||||
|     return 1; | ||||
| 
 | ||||
|  | @ -105,13 +111,19 @@ grub_script_argv_append (struct grub_script_argv *argv, const char *s, | |||
| { | ||||
|   grub_size_t a; | ||||
|   char *p = argv->args[argv->argc - 1]; | ||||
|   grub_size_t sz; | ||||
| 
 | ||||
|   if (! s) | ||||
|     return 0; | ||||
| 
 | ||||
|   a = p ? grub_strlen (p) : 0; | ||||
| 
 | ||||
|   p = grub_realloc (p, round_up_exp ((a + slen + 1) * sizeof (char))); | ||||
|   if (grub_add (a, slen, &sz) || | ||||
|       grub_add (sz, 1, &sz) || | ||||
|       grub_mul (sz, sizeof (char), &sz)) | ||||
|     return 1; | ||||
| 
 | ||||
|   p = grub_realloc (p, round_up_exp (sz)); | ||||
|   if (! p) | ||||
|     return 1; | ||||
| 
 | ||||
|  |  | |||
|  | @ -24,6 +24,7 @@ | |||
| #include <grub/mm.h> | ||||
| #include <grub/script_sh.h> | ||||
| #include <grub/i18n.h> | ||||
| #include <grub/safemath.h> | ||||
| 
 | ||||
| #define yytext_ptr char * | ||||
| #include "grub_script.tab.h" | ||||
|  | @ -110,10 +111,14 @@ grub_script_lexer_record (struct grub_parser_param *parser, char *str) | |||
|       old = lexer->recording; | ||||
|       if (lexer->recordlen < len) | ||||
| 	lexer->recordlen = len; | ||||
|       lexer->recordlen *= 2; | ||||
| 
 | ||||
|       if (grub_mul (lexer->recordlen, 2, &lexer->recordlen)) | ||||
| 	goto fail; | ||||
| 
 | ||||
|       lexer->recording = grub_realloc (lexer->recording, lexer->recordlen); | ||||
|       if (!lexer->recording) | ||||
| 	{ | ||||
|  fail: | ||||
| 	  grub_free (old); | ||||
| 	  lexer->recordpos = 0; | ||||
| 	  lexer->recordlen = 0; | ||||
|  | @ -130,7 +135,7 @@ int | |||
| grub_script_lexer_yywrap (struct grub_parser_param *parserstate, | ||||
| 			  const char *input) | ||||
| { | ||||
|   grub_size_t len = 0; | ||||
|   grub_size_t len = 0, sz; | ||||
|   char *p = 0; | ||||
|   char *line = 0; | ||||
|   YY_BUFFER_STATE buffer; | ||||
|  | @ -168,12 +173,22 @@ grub_script_lexer_yywrap (struct grub_parser_param *parserstate, | |||
|     } | ||||
|   else if (len && line[len - 1] != '\n') | ||||
|     { | ||||
|       p = grub_realloc (line, len + 2); | ||||
|       if (grub_add (len, 2, &sz)) | ||||
| 	{ | ||||
| 	  grub_free (line); | ||||
| 	  grub_script_yyerror (parserstate, N_("overflow is detected")); | ||||
| 	  return 1; | ||||
| 	} | ||||
| 
 | ||||
|       p = grub_realloc (line, sz); | ||||
|       if (p) | ||||
| 	{ | ||||
| 	  p[len++] = '\n'; | ||||
| 	  p[len] = '\0'; | ||||
| 	} | ||||
|       else | ||||
| 	grub_free (line); | ||||
| 
 | ||||
|       line = p; | ||||
|     } | ||||
| 
 | ||||
|  |  | |||
|  | @ -23,6 +23,7 @@ | |||
| #include <grub/mm.h> | ||||
| #include <grub/misc.h> | ||||
| #include <grub/i18n.h> | ||||
| #include <grub/safemath.h> | ||||
| 
 | ||||
| GRUB_MOD_LICENSE ("GPLv3+"); | ||||
| 
 | ||||
|  | @ -58,7 +59,7 @@ grub_video_bitmap_create (struct grub_video_bitmap **bitmap, | |||
|                           enum grub_video_blit_format blit_format) | ||||
| { | ||||
|   struct grub_video_mode_info *mode_info; | ||||
|   unsigned int size; | ||||
|   grub_size_t size; | ||||
| 
 | ||||
|   if (!bitmap) | ||||
|     return grub_error (GRUB_ERR_BUG, "invalid argument"); | ||||
|  | @ -137,19 +138,25 @@ grub_video_bitmap_create (struct grub_video_bitmap **bitmap, | |||
| 
 | ||||
|   mode_info->pitch = width * mode_info->bytes_per_pixel; | ||||
| 
 | ||||
|   /* Calculate size needed for the data.  */ | ||||
|   size = (width * mode_info->bytes_per_pixel) * height; | ||||
|   /* Calculate size needed for the data. */ | ||||
|   if (grub_mul (width, mode_info->bytes_per_pixel, &size) || | ||||
|       grub_mul (size, height, &size)) | ||||
|     { | ||||
|       grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); | ||||
|       goto fail; | ||||
|     } | ||||
| 
 | ||||
|   (*bitmap)->data = grub_zalloc (size); | ||||
|   if (! (*bitmap)->data) | ||||
|     { | ||||
|       grub_free (*bitmap); | ||||
|       *bitmap = 0; | ||||
| 
 | ||||
|       return grub_errno; | ||||
|     } | ||||
|     goto fail; | ||||
| 
 | ||||
|   return GRUB_ERR_NONE; | ||||
| 
 | ||||
|  fail: | ||||
|   grub_free (*bitmap); | ||||
|   *bitmap = NULL; | ||||
| 
 | ||||
|   return grub_errno; | ||||
| } | ||||
| 
 | ||||
| /* Frees all resources allocated by bitmap.  */ | ||||
|  |  | |||
|  | @ -23,6 +23,7 @@ | |||
| #include <grub/mm.h> | ||||
| #include <grub/misc.h> | ||||
| #include <grub/bufio.h> | ||||
| #include <grub/safemath.h> | ||||
| 
 | ||||
| GRUB_MOD_LICENSE ("GPLv3+"); | ||||
| 
 | ||||
|  | @ -301,9 +302,17 @@ grub_png_decode_image_header (struct grub_png_data *data) | |||
|       data->bpp <<= 1; | ||||
| 
 | ||||
|   data->color_bits = color_bits; | ||||
|   data->row_bytes = data->image_width * data->bpp; | ||||
| 
 | ||||
|   if (grub_mul (data->image_width, data->bpp, &data->row_bytes)) | ||||
|     return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); | ||||
| 
 | ||||
|   if (data->color_bits <= 4) | ||||
|     data->row_bytes = (data->image_width * data->color_bits + 7) / 8; | ||||
|     { | ||||
|       if (grub_mul (data->image_width, data->color_bits + 7, &data->row_bytes)) | ||||
| 	return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); | ||||
| 
 | ||||
|       data->row_bytes >>= 3; | ||||
|     } | ||||
| 
 | ||||
| #ifndef GRUB_CPU_WORDS_BIGENDIAN | ||||
|   if (data->is_16bit || data->is_gray || data->is_palette) | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue