fs/hfsplus: Don't fetch a key beyond the end of the node

Otherwise you get a wild pointer, leading to a bunch of invalid reads.
Check it falls inside the given node.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
index 8fe7c12ed8073742f46c543a558a0bdddf90fa81..1c7791b027e8a2440ae73a32ef1b5c096f14af71 100644 (file)
--- a/grub-core/fs/hfsplus.c
+++ b/grub-core/fs/hfsplus.c
@@ -635,6 +635,10 @@ grub_hfsplus_btree_search (struct grub_hfsplus_btree *btree,
              pointer = ((char *) currkey
                         + grub_be_to_cpu16 (currkey->keylen)
                         + 2);
+
+             if ((char *) pointer > node + btree->nodesize - 2)
+               return grub_error (GRUB_ERR_BAD_FS, "HFS+ key beyond end of node");
+
              currnode = grub_be_to_cpu32 (grub_get_unaligned32 (pointer));
              match = 1;
            }