From: Lidong Chen Date: Thu, 6 Feb 2025 18:16:57 +0000 (+0000) Subject: kern/misc: Add sanity check after grub_strtoul() call X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a8d6b06331a75d75b46f3dd6cc6fcd40dcf604b7;p=thirdparty%2Fgrub.git kern/misc: Add sanity check after grub_strtoul() call When the format string, fmt0, includes a positional argument grub_strtoul() or grub_strtoull() is called to extract the argument position. However, the returned argument position isn't fully validated. If the format is something like "%0$x" then these functions return 0 which leads to an underflow in the calculation of the args index, curn. The fix is to add a check to ensure the extracted argument position is greater than 0 before computing curn. Additionally, replace one grub_strtoull() with grub_strtoul() and change curn type to make code more correct. Fixes: CID 473841 Signed-off-by: Lidong Chen Reviewed-by: Daniel Kiper --- diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c index 7cee5d75c..2b7922393 100644 --- a/grub-core/kern/misc.c +++ b/grub-core/kern/misc.c @@ -830,7 +830,7 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args, while ((c = *fmt++) != 0) { int longfmt = 0; - grub_size_t curn; + unsigned long curn; const char *p; if (c != '%') @@ -848,7 +848,10 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args, if (*fmt == '$') { - curn = grub_strtoull (p, 0, 10) - 1; + curn = grub_strtoul (p, 0, 10); + if (curn == 0) + continue; + curn--; fmt++; } @@ -1034,6 +1037,8 @@ grub_vsnprintf_real (char *str, grub_size_t max_len, const char *fmt0, if (*fmt == '$') { + if (format1 == 0) + continue; curn = format1 - 1; fmt++; format1 = 0;