You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
57 lines
1.6 KiB
57 lines
1.6 KiB
From 7bfc4727df287c0cf642cf4861c7ede073996f96 Mon Sep 17 00:00:00 2001 |
|
From: Peter Jones <pjones@redhat.com> |
|
Date: Sun, 19 Jul 2020 14:43:31 -0400 |
|
Subject: [PATCH 318/336] hfsplus: fix two more overflows |
|
|
|
Both node->size and node->namelen come from the supplied filesystem, |
|
which may be user-supplied. We can't trust them for the math unless we |
|
know they don't overflow; making sure they go through calloc() first |
|
will give us that. |
|
|
|
Signed-off-by: Peter Jones <pjones@redhat.com> |
|
Reviewed-by: Darren Kenny <darren.kenny@oracle.com> |
|
Upstream-commit-id: b4915078903 |
|
--- |
|
grub-core/fs/hfsplus.c | 11 ++++++++--- |
|
1 file changed, 8 insertions(+), 3 deletions(-) |
|
|
|
diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c |
|
index 05016ee98a4..2ef0b8d3fec 100644 |
|
--- a/grub-core/fs/hfsplus.c |
|
+++ b/grub-core/fs/hfsplus.c |
|
@@ -31,6 +31,7 @@ |
|
#include <grub/hfs.h> |
|
#include <grub/charset.h> |
|
#include <grub/hfsplus.h> |
|
+#include <grub/safemath.h> |
|
|
|
GRUB_MOD_LICENSE ("GPLv3+"); |
|
|
|
@@ -469,8 +470,12 @@ grub_hfsplus_read_symlink (grub_fshelp_node_t node) |
|
{ |
|
char *symlink; |
|
grub_ssize_t numread; |
|
+ grub_size_t sz = node->size; |
|
|
|
- symlink = grub_malloc (node->size + 1); |
|
+ if (grub_add (sz, 1, &sz)) |
|
+ return NULL; |
|
+ |
|
+ symlink = grub_malloc (sz); |
|
if (!symlink) |
|
return 0; |
|
|
|
@@ -709,8 +714,8 @@ list_nodes (void *record, void *hook_arg) |
|
if (type == GRUB_FSHELP_UNKNOWN) |
|
return 0; |
|
|
|
- filename = grub_malloc (grub_be_to_cpu16 (catkey->namelen) |
|
- * GRUB_MAX_UTF8_PER_UTF16 + 1); |
|
+ filename = grub_calloc (grub_be_to_cpu16 (catkey->namelen), |
|
+ GRUB_MAX_UTF8_PER_UTF16 + 1); |
|
if (! filename) |
|
return 0; |
|
|
|
-- |
|
2.26.2 |
|
|
|
|