From: Jagannathan Raman Date: Thu, 17 Nov 2022 00:17:52 +0000 (+0000) Subject: fs/udf: Validate length of AED in grub_udf_read_block() X-Git-Tag: grub-2.12-rc1~208 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c08edc545cccc38e4c7fcc7b515916279128a101;p=thirdparty%2Fgrub.git fs/udf: Validate length of AED in grub_udf_read_block() Validate the length of Allocation Extent Descriptor in grub_udf_read_block(), based on the details in UDF spec. v2.01 section 2.3.11. Fixes: CID 314037 Signed-off-by: Jagannathan Raman Reviewed-by: Daniel Kiper --- diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c index 12e88ab62..7679ea309 100644 --- a/grub-core/fs/udf.c +++ b/grub-core/fs/udf.c @@ -510,6 +510,20 @@ grub_udf_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock) } len = U32 (extension->ae_len); + /* + * Ensure AE length is less than block size + * per UDF spec v2.01 section 2.3.11. + * + * node->data->lbshift is initialized by + * grub_udf_mount(). lbshift has a maximum value + * of 3 and it does not cause an overflow here. + */ + if (len < 0 || len > ((grub_ssize_t) 1 << node->data->lbshift)) + { + grub_error (GRUB_ERR_BAD_FS, "invalid ae length"); + goto fail; + } + ad = (struct grub_udf_short_ad *) (buf + sizeof (struct grub_udf_aed)); continue; @@ -563,6 +577,20 @@ grub_udf_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock) } len = U32 (extension->ae_len); + /* + * Ensure AE length is less than block size + * per UDF spec v2.01 section 2.3.11. + * + * node->data->lbshift is initialized by + * grub_udf_mount(). lbshift has a maximum value + * of 3 and it does not cause an overflow here. + */ + if (len < 0 || len > ((grub_ssize_t) 1 << node->data->lbshift)) + { + grub_error (GRUB_ERR_BAD_FS, "invalid ae length"); + goto fail; + } + ad = (struct grub_udf_long_ad *) (buf + sizeof (struct grub_udf_aed)); continue;