From: Peter Jones <pjones@redhat.com>
Date: Sun, 19 Jul 2020 18:43:31 +0000 (-0400)
Subject: hfsplus: Fix two more overflows
X-Git-Tag: grub-2.06-rc1~226
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f5703eb0625b786f141d09be19b7af40b572a446;p=thirdparty%2Fgrub.git

hfsplus: Fix two more overflows

Both node->size and node->namelen come from the supplied filesystem,
which may be user-supplied. We can't trust them for the math unless we
know they don't overflow. Making sure they go through grub_add() or
grub_calloc() first will give us that.

Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---

diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
index dae43becc..9c4e4c88c 100644
--- a/grub-core/fs/hfsplus.c
+++ b/grub-core/fs/hfsplus.c
@@ -31,6 +31,7 @@
 #include <grub/hfs.h>
 #include <grub/charset.h>
 #include <grub/hfsplus.h>
+#include <grub/safemath.h>
 
 GRUB_MOD_LICENSE ("GPLv3+");
 
@@ -475,8 +476,12 @@ grub_hfsplus_read_symlink (grub_fshelp_node_t node)
 {
   char *symlink;
   grub_ssize_t numread;
+  grub_size_t sz = node->size;
 
-  symlink = grub_malloc (node->size + 1);
+  if (grub_add (sz, 1, &sz))
+    return NULL;
+
+  symlink = grub_malloc (sz);
   if (!symlink)
     return 0;
 
@@ -715,8 +720,8 @@ list_nodes (void *record, void *hook_arg)
   if (type == GRUB_FSHELP_UNKNOWN)
     return 0;
 
-  filename = grub_malloc (grub_be_to_cpu16 (catkey->namelen)
-			  * GRUB_MAX_UTF8_PER_UTF16 + 1);
+  filename = grub_calloc (grub_be_to_cpu16 (catkey->namelen),
+			  GRUB_MAX_UTF8_PER_UTF16 + 1);
   if (! filename)
     return 0;