fs/hfsplus: Validate btree node size

The invalid btree node size can cause crashes when parsing the btree.
The fix is to ensure the btree node size is within the valid range
defined in the HFS Plus technical note, TN1150 [1].

[1] https://developer.apple.com/library/archive/technotes/tn/tn1150.html

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
index 11393ca34663e56fb791569a2963178cea6a3304..2bc1165c1073881ec204e07b43c8c6ef5f6c1967 100644 (file)
--- a/grub-core/fs/hfsplus.c
+++ b/grub-core/fs/hfsplus.c
@@ -84,6 +84,9 @@ struct grub_hfsplus_catfile
 #define GRUB_HFSPLUS_FILEMODE_DIRECTORY        0040000
 #define GRUB_HFSPLUS_FILEMODE_SYMLINK  0120000
 
+#define HFSPLUS_BTNODE_MINSZ   (1 << 9)
+#define HFSPLUS_BTNODE_MAXSZ   (1 << 15)
+
 /* Some pre-defined file IDs.  */
 enum
   {
@@ -584,6 +587,10 @@ grub_hfsplus_btree_search (struct grub_hfsplus_btree *btree,
       return 0;
     }
 
+  if (btree->nodesize < HFSPLUS_BTNODE_MINSZ ||
+      btree->nodesize > HFSPLUS_BTNODE_MAXSZ)
+    return grub_error (GRUB_ERR_BAD_FS, "invalid HFS+ btree node size");
+
   node = grub_malloc (btree->nodesize);
   if (! node)
     return grub_errno;