]> git.ipfire.org Git - thirdparty/grub.git/commitdiff
projects / thirdparty / grub.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7580add)
gettext: Integer overflow leads to heap OOB write or read
authorLidong Chen <lidong.chen@oracle.com>
Fri, 22 Nov 2024 06:27:56 +0000 (06:27 +0000)
committerDaniel Kiper <daniel.kiper@oracle.com>
Thu, 13 Feb 2025 14:45:55 +0000 (15:45 +0100)
Calculation of ctx->grub_gettext_msg_list size in grub_mofile_open() may
overflow leading to subsequent OOB write or read. This patch fixes the
issue by replacing grub_zalloc() and explicit multiplication with
grub_calloc() which does the same thing in safe manner.

Fixes: CVE-2024-45776
Reported-by: Nils Langius <nils@langius.de>
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
grub-core/gettext/gettext.c patch | blob | blame | history

diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
index e4f4f8ee66d031eef1e550c6d9a0bb40b7212cda..63bb1ab73f2cfce7569a24ab932e782dda509b0f 100644 (file)
--- a/grub-core/gettext/gettext.c
+++ b/grub-core/gettext/gettext.c
@@ -323,8 +323,8 @@ grub_mofile_open (struct grub_gettext_context *ctx,
   for (ctx->grub_gettext_max_log = 0; ctx->grub_gettext_max >> ctx->grub_gettext_max_log;
        ctx->grub_gettext_max_log++);
 
-  ctx->grub_gettext_msg_list = grub_zalloc (ctx->grub_gettext_max
-                                           sizeof (ctx->grub_gettext_msg_list[0]));
+  ctx->grub_gettext_msg_list = grub_calloc (ctx->grub_gettext_max,
+                                           sizeof (ctx->grub_gettext_msg_list[0]));
   if (!ctx->grub_gettext_msg_list)
     {
       grub_file_close (fd);
Mirror of https://git.savannah.gnu.org/git/grub.git