vbatts
/
grub
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

hfsplus: Fix two more overflows 

Both node->size and node->namelen come from the supplied filesystem,
which may be user-supplied. We can't trust them for the math unless we
know they don't overflow. Making sure they go through grub_add() or
grub_calloc() first will give us that.

Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
Peter Jones 2020-07-19 14:43:31 -04:00 committed by Daniel Kiper
parent 07e5b79e22
commit f5703eb062
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
grub-core/fs/hfsplus.c
View File

@ -31,6 +31,7 @@
#include <grub/hfs.h>
#include <grub/charset.h>
#include <grub/hfsplus.h>
#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
@ -475,8 +476,12 @@ grub_hfsplus_read_symlink (grub_fshelp_node_t node)
{
char *symlink;
grub_ssize_t numread;
grub_size_t sz = node->size;
symlink = grub_malloc (node->size + 1);
if (grub_add (sz, 1, &sz))
return NULL;
symlink = grub_malloc (sz);
if (!symlink)
return 0;
@ -715,8 +720,8 @@ list_nodes (void *record, void *hook_arg)
if (type == GRUB_FSHELP_UNKNOWN)
return 0;
filename = grub_malloc (grub_be_to_cpu16 (catkey->namelen)
* GRUB_MAX_UTF8_PER_UTF16 + 1);
filename = grub_calloc (grub_be_to_cpu16 (catkey->namelen),
GRUB_MAX_UTF8_PER_UTF16 + 1);
if (! filename)
return 0;