malloc: Use overflow checking primitives where we do complex allocations

This attempts to fix the places where we do the following where
arithmetic_expr may include unvalidated data:

  X = grub_malloc(arithmetic_expr);

It accomplishes this by doing the arithmetic ahead of time using grub_add(),
grub_sub(), grub_mul() and testing for overflow before proceeding.

Among other issues, this fixes:
  - allocation of integer overflow in grub_video_bitmap_create()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_png_decode_image_header()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_squash_read_symlink()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_ext2_read_symlink()
    reported by Chris Coulson,
  - allocation of integer overflow in read_section_as_string()
    reported by Chris Coulson.

Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311

Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

grub-core/loader/i386/bsd.c

@@ -35,6 +35,7 @@
 #include <grub/ns8250.h>
 #include <grub/bsdlabel.h>
 #include <grub/crypto.h>
+#include <grub/safemath.h>
 #include <grub/verify.h>
 #ifdef GRUB_MACHINE_PCBIOS
 #include <grub/machine/int.h>
@@ -1012,11 +1013,16 @@ grub_netbsd_add_modules (void)
   struct grub_netbsd_btinfo_modules *mods;
   unsigned i;
   grub_err_t err;
+  grub_size_t sz;
 
   for (mod = netbsd_mods; mod; mod = mod->next)
     modcnt++;
 
-  mods = grub_malloc (sizeof (*mods) + sizeof (mods->mods[0]) * modcnt);
+  if (grub_mul (modcnt, sizeof (mods->mods[0]), &sz) ||
+      grub_add (sz, sizeof (*mods), &sz))
+    return GRUB_ERR_OUT_OF_RANGE;
+
+  mods = grub_malloc (sz);
   if (!mods)
     return grub_errno;