1*4882a593SmuzhiyunFrom feec993673d8e13fcf22fe2389ac29222b6daebd Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Peter Jones <pjones@redhat.com> 3*4882a593SmuzhiyunDate: Sun, 19 Jul 2020 14:43:31 -0400 4*4882a593SmuzhiyunSubject: [PATCH] hfsplus: Fix two more overflows 5*4882a593SmuzhiyunMIME-Version: 1.0 6*4882a593SmuzhiyunContent-Type: text/plain; charset=UTF-8 7*4882a593SmuzhiyunContent-Transfer-Encoding: 8bit 8*4882a593Smuzhiyun 9*4882a593SmuzhiyunBoth node->size and node->namelen come from the supplied filesystem, 10*4882a593Smuzhiyunwhich may be user-supplied. We can't trust them for the math unless we 11*4882a593Smuzhiyunknow they don't overflow. Making sure they go through grub_add() or 12*4882a593Smuzhiyungrub_calloc() first will give us that. 13*4882a593Smuzhiyun 14*4882a593SmuzhiyunSigned-off-by: Peter Jones <pjones@redhat.com> 15*4882a593SmuzhiyunReviewed-by: Darren Kenny <darren.kenny@oracle.com> 16*4882a593SmuzhiyunReviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 17*4882a593SmuzhiyunSigned-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 18*4882a593Smuzhiyun--- 19*4882a593Smuzhiyun grub-core/fs/hfsplus.c | 11 ++++++++--- 20*4882a593Smuzhiyun 1 file changed, 8 insertions(+), 3 deletions(-) 21*4882a593Smuzhiyun 22*4882a593Smuzhiyundiff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c 23*4882a593Smuzhiyunindex dae43becc..9c4e4c88c 100644 24*4882a593Smuzhiyun--- a/grub-core/fs/hfsplus.c 25*4882a593Smuzhiyun+++ b/grub-core/fs/hfsplus.c 26*4882a593Smuzhiyun@@ -31,6 +31,7 @@ 27*4882a593Smuzhiyun #include <grub/hfs.h> 28*4882a593Smuzhiyun #include <grub/charset.h> 29*4882a593Smuzhiyun #include <grub/hfsplus.h> 30*4882a593Smuzhiyun+#include <grub/safemath.h> 31*4882a593Smuzhiyun 32*4882a593Smuzhiyun GRUB_MOD_LICENSE ("GPLv3+"); 33*4882a593Smuzhiyun 34*4882a593Smuzhiyun@@ -475,8 +476,12 @@ grub_hfsplus_read_symlink (grub_fshelp_node_t node) 35*4882a593Smuzhiyun { 36*4882a593Smuzhiyun char *symlink; 37*4882a593Smuzhiyun grub_ssize_t numread; 38*4882a593Smuzhiyun+ grub_size_t sz = node->size; 39*4882a593Smuzhiyun 40*4882a593Smuzhiyun- symlink = grub_malloc (node->size + 1); 41*4882a593Smuzhiyun+ if (grub_add (sz, 1, &sz)) 42*4882a593Smuzhiyun+ return NULL; 43*4882a593Smuzhiyun+ 44*4882a593Smuzhiyun+ symlink = grub_malloc (sz); 45*4882a593Smuzhiyun if (!symlink) 46*4882a593Smuzhiyun return 0; 47*4882a593Smuzhiyun 48*4882a593Smuzhiyun@@ -715,8 +720,8 @@ list_nodes (void *record, void *hook_arg) 49*4882a593Smuzhiyun if (type == GRUB_FSHELP_UNKNOWN) 50*4882a593Smuzhiyun return 0; 51*4882a593Smuzhiyun 52*4882a593Smuzhiyun- filename = grub_malloc (grub_be_to_cpu16 (catkey->namelen) 53*4882a593Smuzhiyun- * GRUB_MAX_UTF8_PER_UTF16 + 1); 54*4882a593Smuzhiyun+ filename = grub_calloc (grub_be_to_cpu16 (catkey->namelen), 55*4882a593Smuzhiyun+ GRUB_MAX_UTF8_PER_UTF16 + 1); 56*4882a593Smuzhiyun if (! filename) 57*4882a593Smuzhiyun return 0; 58*4882a593Smuzhiyun 59*4882a593Smuzhiyun-- 60*4882a593Smuzhiyun2.26.2 61*4882a593Smuzhiyun 62