1From feec993673d8e13fcf22fe2389ac29222b6daebd Mon Sep 17 00:00:00 2001 2From: Peter Jones <pjones@redhat.com> 3Date: Sun, 19 Jul 2020 14:43:31 -0400 4Subject: [PATCH] hfsplus: Fix two more overflows 5MIME-Version: 1.0 6Content-Type: text/plain; charset=UTF-8 7Content-Transfer-Encoding: 8bit 8 9Both node->size and node->namelen come from the supplied filesystem, 10which may be user-supplied. We can't trust them for the math unless we 11know they don't overflow. Making sure they go through grub_add() or 12grub_calloc() first will give us that. 13 14Signed-off-by: Peter Jones <pjones@redhat.com> 15Reviewed-by: Darren Kenny <darren.kenny@oracle.com> 16Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 17Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 18--- 19 grub-core/fs/hfsplus.c | 11 ++++++++--- 20 1 file changed, 8 insertions(+), 3 deletions(-) 21 22diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c 23index dae43becc..9c4e4c88c 100644 24--- a/grub-core/fs/hfsplus.c 25+++ b/grub-core/fs/hfsplus.c 26@@ -31,6 +31,7 @@ 27 #include <grub/hfs.h> 28 #include <grub/charset.h> 29 #include <grub/hfsplus.h> 30+#include <grub/safemath.h> 31 32 GRUB_MOD_LICENSE ("GPLv3+"); 33 34@@ -475,8 +476,12 @@ grub_hfsplus_read_symlink (grub_fshelp_node_t node) 35 { 36 char *symlink; 37 grub_ssize_t numread; 38+ grub_size_t sz = node->size; 39 40- symlink = grub_malloc (node->size + 1); 41+ if (grub_add (sz, 1, &sz)) 42+ return NULL; 43+ 44+ symlink = grub_malloc (sz); 45 if (!symlink) 46 return 0; 47 48@@ -715,8 +720,8 @@ list_nodes (void *record, void *hook_arg) 49 if (type == GRUB_FSHELP_UNKNOWN) 50 return 0; 51 52- filename = grub_malloc (grub_be_to_cpu16 (catkey->namelen) 53- * GRUB_MAX_UTF8_PER_UTF16 + 1); 54+ filename = grub_calloc (grub_be_to_cpu16 (catkey->namelen), 55+ GRUB_MAX_UTF8_PER_UTF16 + 1); 56 if (! filename) 57 return 0; 58 59-- 602.26.2 61 62