From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001

From: Peter Jones <pjones@redhat.com>

Date: Sun, 19 Jul 2020 14:43:31 -0400

Subject: [PATCH] hfsplus: fix two more overflows

Both node->size and node->namelen come from the supplied filesystem,

which may be user-supplied.  We can't trust them for the math unless we

know they don't overflow; making sure they go through calloc() first

will give us that.

Signed-off-by: Peter Jones <pjones@redhat.com>

Reviewed-by: Darren Kenny <darren.kenny@oracle.com>

Upstream-commit-id: b4915078903

---

 grub-core/fs/hfsplus.c | 11 ++++++++---

 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c

index f1cd72398ec..8b17ebba296 100644

--- a/grub-core/fs/hfsplus.c

+++ b/grub-core/fs/hfsplus.c

@@ -31,6 +31,7 @@

 #include <grub/hfs.h>

 #include <grub/charset.h>

 #include <grub/hfsplus.h>

+#include <grub/safemath.h>

 GRUB_MOD_LICENSE ("GPLv3+");

@@ -475,8 +476,12 @@ grub_hfsplus_read_symlink (grub_fshelp_node_t node)

 {

   char *symlink;

   grub_ssize_t numread;

+  grub_size_t sz = node->size;

-  symlink = grub_malloc (node->size + 1);

+  if (grub_add (sz, 1, &sz))

+    return NULL;

+

+  symlink = grub_malloc (sz);

   if (!symlink)

     return 0;

@@ -715,8 +720,8 @@ list_nodes (void *record, void *hook_arg)

   if (type == GRUB_FSHELP_UNKNOWN)

     return 0;

-  filename = grub_malloc (grub_be_to_cpu16 (catkey->namelen)

-			  * GRUB_MAX_UTF8_PER_UTF16 + 1);

+  filename = grub_calloc (grub_be_to_cpu16 (catkey->namelen),

+			  GRUB_MAX_UTF8_PER_UTF16 + 1);

   if (! filename)

     return 0;