From feec993673d8e13fcf22fe2389ac29222b6daebd Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Sun, 19 Jul 2020 14:43:31 -0400 Subject: [PATCH] hfsplus: Fix two more overflows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Both node->size and node->namelen come from the supplied filesystem, which may be user-supplied. We can't trust them for the math unless we know they don't overflow. Making sure they go through grub_add() or grub_calloc() first will give us that. Signed-off-by: Peter Jones Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper Signed-off-by: Stefan Sørensen --- grub-core/fs/hfsplus.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c index dae43becc..9c4e4c88c 100644 --- a/grub-core/fs/hfsplus.c +++ b/grub-core/fs/hfsplus.c @@ -31,6 +31,7 @@ #include #include #include +#include GRUB_MOD_LICENSE ("GPLv3+"); @@ -475,8 +476,12 @@ grub_hfsplus_read_symlink (grub_fshelp_node_t node) { char *symlink; grub_ssize_t numread; + grub_size_t sz = node->size; - symlink = grub_malloc (node->size + 1); + if (grub_add (sz, 1, &sz)) + return NULL; + + symlink = grub_malloc (sz); if (!symlink) return 0; @@ -715,8 +720,8 @@ list_nodes (void *record, void *hook_arg) if (type == GRUB_FSHELP_UNKNOWN) return 0; - filename = grub_malloc (grub_be_to_cpu16 (catkey->namelen) - * GRUB_MAX_UTF8_PER_UTF16 + 1); + filename = grub_calloc (grub_be_to_cpu16 (catkey->namelen), + GRUB_MAX_UTF8_PER_UTF16 + 1); if (! filename) return 0; -- 2.26.2