malloc: Use overflow checking primitives where we do complex allocations

This attempts to fix the places where we do the following where
arithmetic_expr may include unvalidated data:

  X = grub_malloc(arithmetic_expr);

It accomplishes this by doing the arithmetic ahead of time using grub_add(),
grub_sub(), grub_mul() and testing for overflow before proceeding.

Among other issues, this fixes:
  - allocation of integer overflow in grub_video_bitmap_create()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_png_decode_image_header()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_squash_read_symlink()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_ext2_read_symlink()
    reported by Chris Coulson,
  - allocation of integer overflow in read_section_as_string()
    reported by Chris Coulson.

Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311

Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

grub-core/net/dns.c

@@ -22,6 +22,7 @@
 #include <grub/i18n.h>
 #include <grub/err.h>
 #include <grub/time.h>
+#include <grub/safemath.h>
 
 struct dns_cache_element
 {
@@ -51,9 +52,15 @@ grub_net_add_dns_server (const struct grub_net_network_level_address *s)
     {
       int na = dns_servers_alloc * 2;
       struct grub_net_network_level_address *ns;
+      grub_size_t sz;
+
       if (na < 8)
 	na = 8;
-      ns = grub_realloc (dns_servers, na * sizeof (ns[0]));
+
+      if (grub_mul (na, sizeof (ns[0]), &sz))
+	return GRUB_ERR_OUT_OF_RANGE;
+
+      ns = grub_realloc (dns_servers, sz);
       if (!ns)
 	return grub_errno;
       dns_servers_alloc = na;