malloc: Use overflow checking primitives where we do complex allocations

This attempts to fix the places where we do the following where
arithmetic_expr may include unvalidated data:

  X = grub_malloc(arithmetic_expr);

It accomplishes this by doing the arithmetic ahead of time using grub_add(),
grub_sub(), grub_mul() and testing for overflow before proceeding.

Among other issues, this fixes:
  - allocation of integer overflow in grub_video_bitmap_create()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_png_decode_image_header()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_squash_read_symlink()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_ext2_read_symlink()
    reported by Chris Coulson,
  - allocation of integer overflow in read_section_as_string()
    reported by Chris Coulson.

Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311

Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

grub-core/normal/charset.c

@@ -48,6 +48,7 @@
 #include <grub/unicode.h>
 #include <grub/term.h>
 #include <grub/normal.h>
+#include <grub/safemath.h>
 
 #if HAVE_FONT_SOURCE
 #include "widthspec.h"
@@ -464,6 +465,7 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
 	{
 	  struct grub_unicode_combining *n;
 	  unsigned j;
+	  grub_size_t sz;
 
 	  if (!haveout)
 	    continue;
@@ -477,10 +479,14 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
 	    n = out->combining_inline;
 	  else if (out->ncomb > (int) ARRAY_SIZE (out->combining_inline))
 	    {
-	      n = grub_realloc (out->combining_ptr,
-				sizeof (n[0]) * (out->ncomb + 1));
+	      if (grub_add (out->ncomb, 1, &sz) ||
+		  grub_mul (sz, sizeof (n[0]), &sz))
+		goto fail;
+
+	      n = grub_realloc (out->combining_ptr, sz);
 	      if (!n)
 		{
+ fail:
 		  grub_errno = GRUB_ERR_NONE;
 		  continue;
 		}