hfsplus: Fix two more overflows
Both node->size and node->namelen come from the supplied filesystem, which may be user-supplied. We can't trust them for the math unless we know they don't overflow. Making sure they go through grub_add() or grub_calloc() first will give us that. Signed-off-by: Peter Jones <pjones@redhat.com> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
Peter Jones
Daniel Kiper
parent
07e5b79e22
commit
f5703eb062
1 changed files with 8 additions and 3 deletions
|
|
@ -31,6 +31,7 @@
|
|||
#include <grub/hfs.h>
|
||||
#include <grub/charset.h>
|
||||
#include <grub/hfsplus.h>
|
||||
#include <grub/safemath.h>
|
||||
|
||||
GRUB_MOD_LICENSE ("GPLv3+");
|
||||
|
||||
|
|
@ -475,8 +476,12 @@ grub_hfsplus_read_symlink (grub_fshelp_node_t node)
|
|||
{
|
||||
char *symlink;
|
||||
grub_ssize_t numread;
|
||||
grub_size_t sz = node->size;
|
||||
|
||||
symlink = grub_malloc (node->size + 1);
|
||||
if (grub_add (sz, 1, &sz))
|
||||
return NULL;
|
||||
|
||||
symlink = grub_malloc (sz);
|
||||
if (!symlink)
|
||||
return 0;
|
||||
|
||||
|
|
@ -715,8 +720,8 @@ list_nodes (void *record, void *hook_arg)
|
|||
if (type == GRUB_FSHELP_UNKNOWN)
|
||||
return 0;
|
||||
|
||||
filename = grub_malloc (grub_be_to_cpu16 (catkey->namelen)
|
||||
* GRUB_MAX_UTF8_PER_UTF16 + 1);
|
||||
filename = grub_calloc (grub_be_to_cpu16 (catkey->namelen),
|
||||
GRUB_MAX_UTF8_PER_UTF16 + 1);
|
||||
if (! filename)
|
||||
return 0;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue