From: Lidong Chen <lidong.chen@oracle.com>
Date: Wed, 3 May 2023 17:32:18 +0000 (+0000)
Subject: fs/hfsplus: Prevent out of bound access in catalog file
X-Git-Tag: grub-2.12-rc1~71
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=eb8b0aabb8ab8adab88d3610496e191097adba5a;p=thirdparty%2Fgrub.git

fs/hfsplus: Prevent out of bound access in catalog file

A corrupted hfsplus can have a catalog key that is out of range. This
can lead to out of bound access when advancing the pointer to access
catalog file info. The valid range of a catalog key is specified in
HFS Plus Technical Note TN1150 [1].

[1] https://developer.apple.com/library/archive/technotes/tn/tn1150.html

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---

diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
index 2bc1165c1..a2ae9486e 100644
--- a/grub-core/fs/hfsplus.c
+++ b/grub-core/fs/hfsplus.c
@@ -87,6 +87,9 @@ struct grub_hfsplus_catfile
 #define HFSPLUS_BTNODE_MINSZ	(1 << 9)
 #define HFSPLUS_BTNODE_MAXSZ	(1 << 15)
 
+#define HFSPLUS_CATKEY_MIN_LEN	6
+#define HFSPLUS_CATKEY_MAX_LEN	516
+
 /* Some pre-defined file IDs.  */
 enum
   {
@@ -702,6 +705,13 @@ list_nodes (void *record, void *hook_arg)
 
   catkey = (struct grub_hfsplus_catkey *) record;
 
+  if (grub_be_to_cpu16 (catkey->keylen) < HFSPLUS_CATKEY_MIN_LEN ||
+      grub_be_to_cpu16 (catkey->keylen) > HFSPLUS_CATKEY_MAX_LEN)
+    {
+      grub_error (GRUB_ERR_BAD_FS, "catalog key length is out of range");
+      return 1;
+    }
+
   fileinfo =
     (struct grub_hfsplus_catfile *) ((char *) record
 				     + grub_be_to_cpu16 (catkey->keylen)