62 lines
1.8 KiB
Diff
62 lines
1.8 KiB
Diff
|
From feec993673d8e13fcf22fe2389ac29222b6daebd Mon Sep 17 00:00:00 2001
|
||
|
From: Peter Jones <pjones@redhat.com>
|
||
|
Date: Sun, 19 Jul 2020 14:43:31 -0400
|
||
|
Subject: [PATCH] hfsplus: Fix two more overflows
|
||
|
MIME-Version: 1.0
|
||
|
Content-Type: text/plain; charset=UTF-8
|
||
|
Content-Transfer-Encoding: 8bit
|
||
|
|
||
|
Both node->size and node->namelen come from the supplied filesystem,
|
||
|
which may be user-supplied. We can't trust them for the math unless we
|
||
|
know they don't overflow. Making sure they go through grub_add() or
|
||
|
grub_calloc() first will give us that.
|
||
|
|
||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||
|
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
|
||
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||
|
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
|
||
|
---
|
||
|
grub-core/fs/hfsplus.c | 11 ++++++++---
|
||
|
1 file changed, 8 insertions(+), 3 deletions(-)
|
||
|
|
||
|
diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
|
||
|
index dae43becc..9c4e4c88c 100644
|
||
|
--- a/grub-core/fs/hfsplus.c
|
||
|
+++ b/grub-core/fs/hfsplus.c
|
||
|
@@ -31,6 +31,7 @@
|
||
|
#include <grub/hfs.h>
|
||
|
#include <grub/charset.h>
|
||
|
#include <grub/hfsplus.h>
|
||
|
+#include <grub/safemath.h>
|
||
|
|
||
|
GRUB_MOD_LICENSE ("GPLv3+");
|
||
|
|
||
|
@@ -475,8 +476,12 @@ grub_hfsplus_read_symlink (grub_fshelp_node_t node)
|
||
|
{
|
||
|
char *symlink;
|
||
|
grub_ssize_t numread;
|
||
|
+ grub_size_t sz = node->size;
|
||
|
|
||
|
- symlink = grub_malloc (node->size + 1);
|
||
|
+ if (grub_add (sz, 1, &sz))
|
||
|
+ return NULL;
|
||
|
+
|
||
|
+ symlink = grub_malloc (sz);
|
||
|
if (!symlink)
|
||
|
return 0;
|
||
|
|
||
|
@@ -715,8 +720,8 @@ list_nodes (void *record, void *hook_arg)
|
||
|
if (type == GRUB_FSHELP_UNKNOWN)
|
||
|
return 0;
|
||
|
|
||
|
- filename = grub_malloc (grub_be_to_cpu16 (catkey->namelen)
|
||
|
- * GRUB_MAX_UTF8_PER_UTF16 + 1);
|
||
|
+ filename = grub_calloc (grub_be_to_cpu16 (catkey->namelen),
|
||
|
+ GRUB_MAX_UTF8_PER_UTF16 + 1);
|
||
|
if (! filename)
|
||
|
return 0;
|
||
|
|
||
|
--
|
||
|
2.26.2
|
||
|
|