kern/misc: Add sanity check after grub_strtoul() call

When the format string, fmt0, includes a positional argument
grub_strtoul() or grub_strtoull() is called to extract the argument
position. However, the returned argument position isn't fully validated.
If the format is something like "%0$x" then these functions return
0 which leads to an underflow in the calculation of the args index, curn.
The fix is to add a check to ensure the extracted argument position is
greater than 0 before computing curn. Additionally, replace one
grub_strtoull() with grub_strtoul() and change curn type to make code
more correct.

Fixes: CID 473841
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
index 7cee5d75c3c2c85ece5662c60de9257eaa53bab4..2b79223935b37c0a877b4718a7eef97229dcb069 100644 (file)
--- a/grub-core/kern/misc.c
+++ b/grub-core/kern/misc.c
@@ -830,7 +830,7 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args,
   while ((c = *fmt++) != 0)
     {
       int longfmt = 0;
-      grub_size_t curn;
+      unsigned long curn;
       const char *p;
 
       if (c != '%')
@@ -848,7 +848,10 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args,
 
       if (*fmt == '$')
        {
-         curn = grub_strtoull (p, 0, 10) - 1;
+         curn = grub_strtoul (p, 0, 10);
+         if (curn == 0)
+           continue;
+         curn--;
          fmt++;
        }
 
@@ -1034,6 +1037,8 @@ grub_vsnprintf_real (char *str, grub_size_t max_len, const char *fmt0,
 
       if (*fmt == '$')
        {
+         if (format1 == 0)
+           continue;
          curn = format1 - 1;
          fmt++;
          format1 = 0;