fs/hfsplus: Prevent out of bound access in catalog file

A corrupted hfsplus can have a catalog key that is out of range. This
can lead to out of bound access when advancing the pointer to access
catalog file info. The valid range of a catalog key is specified in
HFS Plus Technical Note TN1150 [1].

[1] https://developer.apple.com/library/archive/technotes/tn/tn1150.html

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
index 2bc1165c1073881ec204e07b43c8c6ef5f6c1967..a2ae9486eb9f41f3e1d6934503bb9fe198fa39be 100644 (file)
--- a/grub-core/fs/hfsplus.c
+++ b/grub-core/fs/hfsplus.c
@@ -87,6 +87,9 @@ struct grub_hfsplus_catfile
 #define HFSPLUS_BTNODE_MINSZ   (1 << 9)
 #define HFSPLUS_BTNODE_MAXSZ   (1 << 15)
 
+#define HFSPLUS_CATKEY_MIN_LEN 6
+#define HFSPLUS_CATKEY_MAX_LEN 516
+
 /* Some pre-defined file IDs.  */
 enum
   {
@@ -702,6 +705,13 @@ list_nodes (void *record, void *hook_arg)
 
   catkey = (struct grub_hfsplus_catkey *) record;
 
+  if (grub_be_to_cpu16 (catkey->keylen) < HFSPLUS_CATKEY_MIN_LEN ||
+      grub_be_to_cpu16 (catkey->keylen) > HFSPLUS_CATKEY_MAX_LEN)
+    {
+      grub_error (GRUB_ERR_BAD_FS, "catalog key length is out of range");
+      return 1;
+    }
+
   fileinfo =
     (struct grub_hfsplus_catfile *) ((char *) record
                                     + grub_be_to_cpu16 (catkey->keylen)