From def3df75205454ac5174b6d8a226670d869f1c83 Mon Sep 17 00:00:00 2001
From: Vladimir 'phcoder' Serbinenko <phcoder@gmail.com>
Date: Sun, 13 May 2012 20:18:33 +0200
Subject: [PATCH] 	* grub-core/fs/udf.c (read_string): Bail out on
 size=0. 	(grub_udf_read_symlink): Handle read_string failure.

---
 ChangeLog          | 5 +++++
 grub-core/fs/udf.c | 6 +++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index c451e128a..9bdba7c8a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2012-05-12  Vladimir Serbinenko  <phcoder@gmail.com>
+
+	* grub-core/fs/udf.c (read_string): Bail out on size=0.
+	(grub_udf_read_symlink): Handle read_string failure.
+
 2012-05-12  Vladimir Serbinenko  <phcoder@gmail.com>
 
 	* grub-core/kern/emu/hostdisk.c (read_device_map): Improve TRANSLATORS
diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
index 841667c23..8e28d41e2 100644
--- a/grub-core/fs/udf.c
+++ b/grub-core/fs/udf.c
@@ -807,6 +807,9 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf)
   grub_uint16_t *utf16 = NULL;
   grub_size_t utf16len = 0;
 
+  if (sz == 0)
+    return NULL;
+
   if (raw[0] != 8 && raw[0] != 16)
     return NULL;
 
@@ -989,7 +992,8 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
 	  /* in 4 + n bytes. out, at most: 1 + 2 * n bytes.  */
 	  if (optr != out)
 	    *optr++ = '/';
-	  read_string (ptr + 4, s - 4, optr);
+	  if (!read_string (ptr + 4, s - 4, optr))
+	    goto fail;
 	  optr += grub_strlen (optr);
 	  break;
 	default: