5975ab
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
a4d572
From: Peter Jones <pjones@redhat.com>
a4d572
Date: Sun, 19 Jul 2020 14:43:31 -0400
5975ab
Subject: [PATCH] hfsplus: fix two more overflows
a4d572
a4d572
Both node->size and node->namelen come from the supplied filesystem,
a4d572
which may be user-supplied.  We can't trust them for the math unless we
a4d572
know they don't overflow; making sure they go through calloc() first
a4d572
will give us that.
a4d572
a4d572
Signed-off-by: Peter Jones <pjones@redhat.com>
a4d572
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
a4d572
Upstream-commit-id: b4915078903
a4d572
---
a4d572
 grub-core/fs/hfsplus.c | 11 ++++++++---
a4d572
 1 file changed, 8 insertions(+), 3 deletions(-)
a4d572
a4d572
diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
f6e916
index f1cd72398..8b17ebba2 100644
a4d572
--- a/grub-core/fs/hfsplus.c
a4d572
+++ b/grub-core/fs/hfsplus.c
a4d572
@@ -31,6 +31,7 @@
a4d572
 #include <grub/hfs.h>
a4d572
 #include <grub/charset.h>
a4d572
 #include <grub/hfsplus.h>
a4d572
+#include <grub/safemath.h>
a4d572
 
a4d572
 GRUB_MOD_LICENSE ("GPLv3+");
a4d572
 
a4d572
@@ -475,8 +476,12 @@ grub_hfsplus_read_symlink (grub_fshelp_node_t node)
a4d572
 {
a4d572
   char *symlink;
a4d572
   grub_ssize_t numread;
a4d572
+  grub_size_t sz = node->size;
a4d572
 
a4d572
-  symlink = grub_malloc (node->size + 1);
a4d572
+  if (grub_add (sz, 1, &sz))
a4d572
+    return NULL;
a4d572
+
a4d572
+  symlink = grub_malloc (sz);
a4d572
   if (!symlink)
a4d572
     return 0;
a4d572
 
a4d572
@@ -715,8 +720,8 @@ list_nodes (void *record, void *hook_arg)
a4d572
   if (type == GRUB_FSHELP_UNKNOWN)
a4d572
     return 0;
a4d572
 
a4d572
-  filename = grub_malloc (grub_be_to_cpu16 (catkey->namelen)
a4d572
-			  * GRUB_MAX_UTF8_PER_UTF16 + 1);
a4d572
+  filename = grub_calloc (grub_be_to_cpu16 (catkey->namelen),
a4d572
+			  GRUB_MAX_UTF8_PER_UTF16 + 1);
a4d572
   if (! filename)
a4d572
     return 0;
a4d572