From c08edc545cccc38e4c7fcc7b515916279128a101 Mon Sep 17 00:00:00 2001 From: Jagannathan Raman Date: Thu, 17 Nov 2022 00:17:52 +0000 Subject: [PATCH] fs/udf: Validate length of AED in grub_udf_read_block() Validate the length of Allocation Extent Descriptor in grub_udf_read_block(), based on the details in UDF spec. v2.01 section 2.3.11. Fixes: CID 314037 Signed-off-by: Jagannathan Raman Reviewed-by: Daniel Kiper --- grub-core/fs/udf.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c index 12e88ab62..7679ea309 100644 --- a/grub-core/fs/udf.c +++ b/grub-core/fs/udf.c @@ -510,6 +510,20 @@ grub_udf_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock) } len = U32 (extension->ae_len); + /* + * Ensure AE length is less than block size + * per UDF spec v2.01 section 2.3.11. + * + * node->data->lbshift is initialized by + * grub_udf_mount(). lbshift has a maximum value + * of 3 and it does not cause an overflow here. + */ + if (len < 0 || len > ((grub_ssize_t) 1 << node->data->lbshift)) + { + grub_error (GRUB_ERR_BAD_FS, "invalid ae length"); + goto fail; + } + ad = (struct grub_udf_short_ad *) (buf + sizeof (struct grub_udf_aed)); continue; @@ -563,6 +577,20 @@ grub_udf_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock) } len = U32 (extension->ae_len); + /* + * Ensure AE length is less than block size + * per UDF spec v2.01 section 2.3.11. + * + * node->data->lbshift is initialized by + * grub_udf_mount(). lbshift has a maximum value + * of 3 and it does not cause an overflow here. + */ + if (len < 0 || len > ((grub_ssize_t) 1 << node->data->lbshift)) + { + grub_error (GRUB_ERR_BAD_FS, "invalid ae length"); + goto fail; + } + ad = (struct grub_udf_long_ad *) (buf + sizeof (struct grub_udf_aed)); continue; -- 2.47.2