Blame SOURCES/0303-malloc-Use-overflow-checking-primitives-where-we-do-.patch

b1bcb2
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
c4e390
From: Peter Jones <pjones@redhat.com>
c4e390
Date: Mon, 15 Jun 2020 12:28:27 -0400
b1bcb2
Subject: [PATCH] malloc: Use overflow checking primitives where we do complex
b1bcb2
 allocations
c4e390
c4e390
This attempts to fix the places where we do the following where
c4e390
arithmetic_expr may include unvalidated data:
c4e390
c4e390
  X = grub_malloc(arithmetic_expr);
c4e390
c4e390
It accomplishes this by doing the arithmetic ahead of time using grub_add(),
c4e390
grub_sub(), grub_mul() and testing for overflow before proceeding.
c4e390
c4e390
Among other issues, this fixes:
c4e390
  - allocation of integer overflow in grub_video_bitmap_create()
c4e390
    reported by Chris Coulson,
c4e390
  - allocation of integer overflow in grub_png_decode_image_header()
c4e390
    reported by Chris Coulson,
c4e390
  - allocation of integer overflow in grub_squash_read_symlink()
c4e390
    reported by Chris Coulson,
c4e390
  - allocation of integer overflow in grub_ext2_read_symlink()
c4e390
    reported by Chris Coulson,
c4e390
  - allocation of integer overflow in read_section_as_string()
c4e390
    reported by Chris Coulson.
c4e390
c4e390
Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
c4e390
c4e390
Signed-off-by: Peter Jones <pjones@redhat.com>
c4e390
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
c4e390
Upstream-commit-id: 5fb2befbf04
c4e390
---
b1bcb2
 grub-core/commands/legacycfg.c | 29 ++++++++++++++++++----
b1bcb2
 grub-core/commands/wildcard.c  | 36 +++++++++++++++++++++++----
b1bcb2
 grub-core/disk/ldm.c           | 32 +++++++++++++++++-------
b1bcb2
 grub-core/font/font.c          |  7 +++++-
b1bcb2
 grub-core/fs/btrfs.c           | 29 +++++++++++++++-------
b1bcb2
 grub-core/fs/ext2.c            | 10 +++++++-
b1bcb2
 grub-core/fs/iso9660.c         | 55 +++++++++++++++++++++++++++++-------------
b1bcb2
 grub-core/fs/sfs.c             | 27 +++++++++++++++++----
b1bcb2
 grub-core/fs/squash4.c         | 45 +++++++++++++++++++++++++---------
b1bcb2
 grub-core/fs/udf.c             | 42 +++++++++++++++++++++-----------
b1bcb2
 grub-core/fs/xfs.c             | 11 ++++++---
b1bcb2
 grub-core/fs/zfs/zfs.c         | 22 +++++++++++------
b1bcb2
 grub-core/fs/zfs/zfscrypt.c    |  7 +++++-
b1bcb2
 grub-core/lib/arg.c            | 20 +++++++++++++--
b1bcb2
 grub-core/loader/i386/bsd.c    |  8 +++++-
b1bcb2
 grub-core/net/dns.c            |  9 ++++++-
b1bcb2
 grub-core/normal/charset.c     | 10 ++++++--
b1bcb2
 grub-core/normal/cmdline.c     | 14 +++++++++--
b1bcb2
 grub-core/normal/menu_entry.c  | 14 +++++++++--
b1bcb2
 grub-core/script/argv.c        | 16 ++++++++++--
b1bcb2
 grub-core/script/lexer.c       | 21 +++++++++++++---
b1bcb2
 grub-core/video/bitmap.c       | 25 ++++++++++++-------
b1bcb2
 grub-core/video/readers/png.c  | 13 ++++++++--
c4e390
 23 files changed, 387 insertions(+), 115 deletions(-)
c4e390
c4e390
diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c
c4e390
index d1127fa8968..155357a51d0 100644
c4e390
--- a/grub-core/commands/legacycfg.c
c4e390
+++ b/grub-core/commands/legacycfg.c
c4e390
@@ -32,6 +32,7 @@
c4e390
 #include <grub/auth.h>
c4e390
 #include <grub/disk.h>
c4e390
 #include <grub/partition.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 GRUB_MOD_LICENSE ("GPLv3+");
c4e390
 
c4e390
@@ -97,13 +98,22 @@ legacy_file (const char *filename)
c4e390
 	if (newsuffix)
c4e390
 	  {
c4e390
 	    char *t;
c4e390
-	    
c4e390
+	    grub_size_t sz;
c4e390
+
c4e390
+	    if (grub_add (grub_strlen (suffix), grub_strlen (newsuffix), &sz) ||
c4e390
+		grub_add (sz, 1, &sz))
c4e390
+	      {
c4e390
+		grub_errno = GRUB_ERR_OUT_OF_RANGE;
c4e390
+		goto fail_0;
c4e390
+	      }
c4e390
+
c4e390
 	    t = suffix;
c4e390
-	    suffix = grub_realloc (suffix, grub_strlen (suffix)
c4e390
-				   + grub_strlen (newsuffix) + 1);
c4e390
+	    suffix = grub_realloc (suffix, sz);
c4e390
 	    if (!suffix)
c4e390
 	      {
c4e390
 		grub_free (t);
c4e390
+
c4e390
+ fail_0:
c4e390
 		grub_free (entrysrc);
c4e390
 		grub_free (parsed);
c4e390
 		grub_free (newsuffix);
c4e390
@@ -147,13 +157,22 @@ legacy_file (const char *filename)
c4e390
 	  else
c4e390
 	    {
c4e390
 	      char *t;
c4e390
+	      grub_size_t sz;
c4e390
+
c4e390
+	      if (grub_add (grub_strlen (entrysrc), grub_strlen (parsed), &sz) ||
c4e390
+		  grub_add (sz, 1, &sz))
c4e390
+		{
c4e390
+		  grub_errno = GRUB_ERR_OUT_OF_RANGE;
c4e390
+		  goto fail_1;
c4e390
+		}
c4e390
 
c4e390
 	      t = entrysrc;
c4e390
-	      entrysrc = grub_realloc (entrysrc, grub_strlen (entrysrc)
c4e390
-				       + grub_strlen (parsed) + 1);
c4e390
+	      entrysrc = grub_realloc (entrysrc, sz);
c4e390
 	      if (!entrysrc)
c4e390
 		{
c4e390
 		  grub_free (t);
c4e390
+
c4e390
+ fail_1:
c4e390
 		  grub_free (parsed);
c4e390
 		  grub_free (suffix);
c4e390
 		  return grub_errno;
c4e390
diff --git a/grub-core/commands/wildcard.c b/grub-core/commands/wildcard.c
c4e390
index 0f40e041541..2383e0f99c7 100644
c4e390
--- a/grub-core/commands/wildcard.c
c4e390
+++ b/grub-core/commands/wildcard.c
c4e390
@@ -23,6 +23,7 @@
c4e390
 #include <grub/file.h>
c4e390
 #include <grub/device.h>
c4e390
 #include <grub/script_sh.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 #include <regex.h>
c4e390
 
c4e390
@@ -48,6 +49,7 @@ merge (char **dest, char **ps)
c4e390
   int i;
c4e390
   int j;
c4e390
   char **p;
c4e390
+  grub_size_t sz;
c4e390
 
c4e390
   if (! dest)
c4e390
     return ps;
c4e390
@@ -60,7 +62,12 @@ merge (char **dest, char **ps)
c4e390
   for (j = 0; ps[j]; j++)
c4e390
     ;
c4e390
 
c4e390
-  p = grub_realloc (dest, sizeof (char*) * (i + j + 1));
c4e390
+  if (grub_add (i, j, &sz) ||
c4e390
+      grub_add (sz, 1, &sz) ||
c4e390
+      grub_mul (sz, sizeof (char *), &sz))
c4e390
+    return dest;
c4e390
+
c4e390
+  p = grub_realloc (dest, sz);
c4e390
   if (! p)
c4e390
     {
c4e390
       grub_free (dest);
c4e390
@@ -115,8 +122,15 @@ make_regex (const char *start, const char *end, regex_t *regexp)
c4e390
   char ch;
c4e390
   int i = 0;
c4e390
   unsigned len = end - start;
c4e390
-  char *buffer = grub_malloc (len * 2 + 2 + 1); /* worst case size. */
c4e390
+  char *buffer;
c4e390
+  grub_size_t sz;
c4e390
 
c4e390
+  /* Worst case size is (len * 2 + 2 + 1). */
c4e390
+  if (grub_mul (len, 2, &sz) ||
c4e390
+      grub_add (sz, 3, &sz))
c4e390
+    return 1;
c4e390
+
c4e390
+  buffer = grub_malloc (sz);
c4e390
   if (! buffer)
c4e390
     return 1;
c4e390
 
c4e390
@@ -226,6 +240,7 @@ match_devices_iter (const char *name, void *data)
c4e390
   struct match_devices_ctx *ctx = data;
c4e390
   char **t;
c4e390
   char *buffer;
c4e390
+  grub_size_t sz;
c4e390
 
c4e390
   /* skip partitions if asked to. */
c4e390
   if (ctx->noparts && grub_strchr (name, ','))
c4e390
@@ -239,11 +254,16 @@ match_devices_iter (const char *name, void *data)
c4e390
   if (regexec (ctx->regexp, buffer, 0, 0, 0))
c4e390
     {
c4e390
       grub_dprintf ("expand", "not matched\n");
c4e390
+ fail:
c4e390
       grub_free (buffer);
c4e390
       return 0;
c4e390
     }
c4e390
 
c4e390
-  t = grub_realloc (ctx->devs, sizeof (char*) * (ctx->ndev + 2));
c4e390
+  if (grub_add (ctx->ndev, 2, &sz) ||
c4e390
+      grub_mul (sz, sizeof (char *), &sz))
c4e390
+    goto fail;
c4e390
+
c4e390
+  t = grub_realloc (ctx->devs, sz);
c4e390
   if (! t)
c4e390
     return 1;
c4e390
 
c4e390
@@ -296,6 +316,7 @@ match_files_iter (const char *name, const struct grub_dirhook_info *info,
c4e390
   struct match_files_ctx *ctx = data;
c4e390
   char **t;
c4e390
   char *buffer;
c4e390
+  grub_size_t sz;
c4e390
 
c4e390
   /* skip . and .. names */
c4e390
   if (grub_strcmp(".", name) == 0 || grub_strcmp("..", name) == 0)
c4e390
@@ -311,9 +332,14 @@ match_files_iter (const char *name, const struct grub_dirhook_info *info,
c4e390
   if (! buffer)
c4e390
     return 1;
c4e390
 
c4e390
-  t = grub_realloc (ctx->files, sizeof (char*) * (ctx->nfile + 2));
c4e390
-  if (! t)
c4e390
+  if (grub_add (ctx->nfile, 2, &sz) ||
c4e390
+      grub_mul (sz, sizeof (char *), &sz))
c4e390
+    goto fail;
c4e390
+
c4e390
+  t = grub_realloc (ctx->files, sz);
c4e390
+  if (!t)
c4e390
     {
c4e390
+ fail:
c4e390
       grub_free (buffer);
c4e390
       return 1;
c4e390
     }
c4e390
diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
c4e390
index 97a482705d0..b1a57f2d2ad 100644
c4e390
--- a/grub-core/disk/ldm.c
c4e390
+++ b/grub-core/disk/ldm.c
c4e390
@@ -25,6 +25,7 @@
c4e390
 #include <grub/msdos_partition.h>
c4e390
 #include <grub/gpt_partition.h>
c4e390
 #include <grub/i18n.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 #ifdef GRUB_UTIL
c4e390
 #include <grub/emu/misc.h>
c4e390
@@ -289,6 +290,7 @@ make_vg (grub_disk_t disk,
c4e390
       struct grub_ldm_vblk vblk[GRUB_DISK_SECTOR_SIZE
c4e390
 				/ sizeof (struct grub_ldm_vblk)];
c4e390
       unsigned i;
c4e390
+      grub_size_t sz;
c4e390
       err = grub_disk_read (disk, cursec, 0,
c4e390
 			    sizeof(vblk), &vblk);
c4e390
       if (err)
c4e390
@@ -350,7 +352,13 @@ make_vg (grub_disk_t disk,
c4e390
 	      grub_free (lv);
c4e390
 	      goto fail2;
c4e390
 	    }
c4e390
-	  lv->name = grub_malloc (*ptr + 1);
c4e390
+	  if (grub_add (*ptr, 1, &sz))
c4e390
+	    {
c4e390
+	      grub_free (lv->internal_id);
c4e390
+	      grub_free (lv);
c4e390
+	      goto fail2;
c4e390
+	    }
c4e390
+	  lv->name = grub_malloc (sz);
c4e390
 	  if (!lv->name)
c4e390
 	    {
c4e390
 	      grub_free (lv->internal_id);
c4e390
@@ -599,10 +607,13 @@ make_vg (grub_disk_t disk,
c4e390
 	  if (lv->segments->node_alloc == lv->segments->node_count)
c4e390
 	    {
c4e390
 	      void *t;
c4e390
-	      lv->segments->node_alloc *= 2; 
c4e390
-	      t = grub_realloc (lv->segments->nodes,
c4e390
-				sizeof (*lv->segments->nodes)
c4e390
-				* lv->segments->node_alloc);
c4e390
+	      grub_size_t sz;
c4e390
+
c4e390
+	      if (grub_mul (lv->segments->node_alloc, 2, &lv->segments->node_alloc) ||
c4e390
+		  grub_mul (lv->segments->node_alloc, sizeof (*lv->segments->nodes), &sz))
c4e390
+		goto fail2;
c4e390
+
c4e390
+	      t = grub_realloc (lv->segments->nodes, sz);
c4e390
 	      if (!t)
c4e390
 		goto fail2;
c4e390
 	      lv->segments->nodes = t;
c4e390
@@ -723,10 +734,13 @@ make_vg (grub_disk_t disk,
c4e390
 	      if (comp->segment_alloc == comp->segment_count)
c4e390
 		{
c4e390
 		  void *t;
c4e390
-		  comp->segment_alloc *= 2;
c4e390
-		  t = grub_realloc (comp->segments,
c4e390
-				    comp->segment_alloc
c4e390
-				    * sizeof (*comp->segments));
c4e390
+		  grub_size_t sz;
c4e390
+
c4e390
+		  if (grub_mul (comp->segment_alloc, 2, &comp->segment_alloc) ||
c4e390
+		      grub_mul (comp->segment_alloc, sizeof (*comp->segments), &sz))
c4e390
+		    goto fail2;
c4e390
+
c4e390
+		  t = grub_realloc (comp->segments, sz);
c4e390
 		  if (!t)
c4e390
 		    goto fail2;
c4e390
 		  comp->segments = t;
c4e390
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
c4e390
index b5f43d992a4..71d3f78b88a 100644
c4e390
--- a/grub-core/font/font.c
c4e390
+++ b/grub-core/font/font.c
c4e390
@@ -30,6 +30,7 @@
c4e390
 #include <grub/unicode.h>
c4e390
 #include <grub/fontformat.h>
c4e390
 #include <grub/env.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 GRUB_MOD_LICENSE ("GPLv3+");
c4e390
 
c4e390
@@ -360,9 +361,13 @@ static char *
c4e390
 read_section_as_string (struct font_file_section *section)
c4e390
 {
c4e390
   char *str;
c4e390
+  grub_size_t sz;
c4e390
   grub_ssize_t ret;
c4e390
 
c4e390
-  str = grub_malloc (section->length + 1);
c4e390
+  if (grub_add (section->length, 1, &sz))
c4e390
+    return NULL;
c4e390
+
c4e390
+  str = grub_malloc (sz);
c4e390
   if (!str)
c4e390
     return 0;
c4e390
 
c4e390
diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
c4e390
index db57875f490..fb5ab2b3deb 100644
c4e390
--- a/grub-core/fs/btrfs.c
c4e390
+++ b/grub-core/fs/btrfs.c
c4e390
@@ -29,6 +29,7 @@
c4e390
 #include <minilzo.h>
c4e390
 #include <grub/i18n.h>
c4e390
 #include <grub/btrfs.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 GRUB_MOD_LICENSE ("GPLv3+");
c4e390
 
c4e390
@@ -292,9 +293,13 @@ save_ref (struct grub_btrfs_leaf_descriptor *desc,
c4e390
   if (desc->allocated < desc->depth)
c4e390
     {
c4e390
       void *newdata;
c4e390
-      desc->allocated *= 2;
c4e390
-      newdata = grub_realloc (desc->data, sizeof (desc->data[0])
c4e390
-			      * desc->allocated);
c4e390
+      grub_size_t sz;
c4e390
+
c4e390
+      if (grub_mul (desc->allocated, 2, &desc->allocated) ||
c4e390
+	  grub_mul (desc->allocated, sizeof (desc->data[0]), &sz))
c4e390
+	return GRUB_ERR_OUT_OF_RANGE;
c4e390
+
c4e390
+      newdata = grub_realloc (desc->data, sz);
c4e390
       if (!newdata)
c4e390
 	return grub_errno;
c4e390
       desc->data = newdata;
c4e390
@@ -589,15 +594,21 @@ find_device (struct grub_btrfs_data *data, grub_uint64_t id, int do_rescan)
c4e390
   if (data->n_devices_attached > data->n_devices_allocated)
c4e390
     {
c4e390
       void *tmp;
c4e390
-      data->n_devices_allocated = 2 * data->n_devices_attached + 1;
c4e390
-      data->devices_attached
c4e390
-	= grub_realloc (tmp = data->devices_attached,
c4e390
-			data->n_devices_allocated
c4e390
-			* sizeof (data->devices_attached[0]));
c4e390
+      grub_size_t sz;
c4e390
+
c4e390
+      if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) ||
c4e390
+	  grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) ||
c4e390
+	  grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz))
c4e390
+	goto fail;
c4e390
+
c4e390
+      data->devices_attached = grub_realloc (tmp = data->devices_attached, sz);
c4e390
       if (!data->devices_attached)
c4e390
 	{
c4e390
-	  grub_device_close (ctx.dev_found);
c4e390
 	  data->devices_attached = tmp;
c4e390
+
c4e390
+ fail:
c4e390
+	  if (ctx.dev_found)
c4e390
+	    grub_device_close (ctx.dev_found);
c4e390
 	  return NULL;
c4e390
 	}
c4e390
     }
c4e390
diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c
c4e390
index 5f7a2b9d5bd..2fda8d09caa 100644
c4e390
--- a/grub-core/fs/ext2.c
c4e390
+++ b/grub-core/fs/ext2.c
c4e390
@@ -46,6 +46,7 @@
c4e390
 #include <grub/dl.h>
c4e390
 #include <grub/types.h>
c4e390
 #include <grub/fshelp.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 GRUB_MOD_LICENSE ("GPLv3+");
c4e390
 
c4e390
@@ -631,6 +632,7 @@ grub_ext2_read_symlink (grub_fshelp_node_t node)
c4e390
 {
c4e390
   char *symlink;
c4e390
   struct grub_fshelp_node *diro = node;
c4e390
+  grub_size_t sz;
c4e390
 
c4e390
   if (! diro->inode_read)
c4e390
     {
c4e390
@@ -639,7 +641,13 @@ grub_ext2_read_symlink (grub_fshelp_node_t node)
c4e390
 	return 0;
c4e390
     }
c4e390
 
c4e390
-  symlink = grub_malloc (grub_le_to_cpu32 (diro->inode.size) + 1);
c4e390
+  if (grub_add (grub_le_to_cpu32 (diro->inode.size), 1, &sz))
c4e390
+    {
c4e390
+      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
c4e390
+      return NULL;
c4e390
+    }
c4e390
+
c4e390
+  symlink = grub_malloc (sz);
c4e390
   if (! symlink)
c4e390
     return 0;
c4e390
 
c4e390
diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
c4e390
index 2fe433ceb54..d6dc55b5803 100644
c4e390
--- a/grub-core/fs/iso9660.c
c4e390
+++ b/grub-core/fs/iso9660.c
c4e390
@@ -28,6 +28,7 @@
c4e390
 #include <grub/fshelp.h>
c4e390
 #include <grub/charset.h>
c4e390
 #include <grub/datetime.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 GRUB_MOD_LICENSE ("GPLv3+");
c4e390
 
c4e390
@@ -528,11 +529,16 @@ struct iterate_dir_ctx
c4e390
 static void
c4e390
 add_part (struct iterate_dir_ctx *ctx,
c4e390
 	  const char *part,
c4e390
-	  int len2)
c4e390
+	  grub_size_t len2)
c4e390
 {
c4e390
-  int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0;
c4e390
+  grub_size_t size = ctx->symlink ? grub_strlen (ctx->symlink) : 0;
c4e390
+  grub_size_t sz;
c4e390
 
c4e390
-  ctx->symlink = grub_realloc (ctx->symlink, size + len2 + 1);
c4e390
+  if (grub_add (size, len2, &sz) ||
c4e390
+      grub_add (sz, 1, &sz))
c4e390
+    return;
c4e390
+
c4e390
+  ctx->symlink = grub_realloc (ctx->symlink, sz);
c4e390
   if (! ctx->symlink)
c4e390
     return;
c4e390
 
c4e390
@@ -560,17 +566,24 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
c4e390
 	{
c4e390
 	  grub_size_t off = 0, csize = 1;
c4e390
 	  char *old;
c4e390
+	  grub_size_t sz;
c4e390
+
c4e390
 	  csize = entry->len - 5;
c4e390
 	  old = ctx->filename;
c4e390
 	  if (ctx->filename_alloc)
c4e390
 	    {
c4e390
 	      off = grub_strlen (ctx->filename);
c4e390
-	      ctx->filename = grub_realloc (ctx->filename, csize + off + 1);
c4e390
+	      if (grub_add (csize, off, &sz) ||
c4e390
+		  grub_add (sz, 1, &sz))
c4e390
+		return GRUB_ERR_OUT_OF_RANGE;
c4e390
+	      ctx->filename = grub_realloc (ctx->filename, sz);
c4e390
 	    }
c4e390
 	  else
c4e390
 	    {
c4e390
 	      off = 0;
c4e390
-	      ctx->filename = grub_zalloc (csize + 1);
c4e390
+	      if (grub_add (csize, 1, &sz))
c4e390
+		return GRUB_ERR_OUT_OF_RANGE;
c4e390
+	      ctx->filename = grub_zalloc (sz);
c4e390
 	    }
c4e390
 	  if (!ctx->filename)
c4e390
 	    {
c4e390
@@ -780,14 +793,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
c4e390
 	    if (node->have_dirents >= node->alloc_dirents)
c4e390
 	      {
c4e390
 		struct grub_fshelp_node *new_node;
c4e390
-		node->alloc_dirents *= 2;
c4e390
-		new_node = grub_realloc (node, 
c4e390
-					 sizeof (struct grub_fshelp_node)
c4e390
-					 + ((node->alloc_dirents
c4e390
-					     - ARRAY_SIZE (node->dirents))
c4e390
-					    * sizeof (node->dirents[0])));
c4e390
+		grub_size_t sz;
c4e390
+
c4e390
+		if (grub_mul (node->alloc_dirents, 2, &node->alloc_dirents) ||
c4e390
+		    grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) ||
c4e390
+		    grub_mul (sz, sizeof (node->dirents[0]), &sz) ||
c4e390
+		    grub_add (sz, sizeof (struct grub_fshelp_node), &sz))
c4e390
+		  goto fail_0;
c4e390
+
c4e390
+		new_node = grub_realloc (node, sz);
c4e390
 		if (!new_node)
c4e390
 		  {
c4e390
+ fail_0:
c4e390
 		    if (ctx.filename_alloc)
c4e390
 		      grub_free (ctx.filename);
c4e390
 		    grub_free (node);
c4e390
@@ -803,14 +820,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
c4e390
 		* sizeof (node->dirents[0]) < grub_strlen (ctx.symlink) + 1)
c4e390
 	      {
c4e390
 		struct grub_fshelp_node *new_node;
c4e390
-		new_node = grub_realloc (node,
c4e390
-					 sizeof (struct grub_fshelp_node)
c4e390
-					 + ((node->alloc_dirents
c4e390
-					     - ARRAY_SIZE (node->dirents))
c4e390
-					    * sizeof (node->dirents[0]))
c4e390
-					 + grub_strlen (ctx.symlink) + 1);
c4e390
+		grub_size_t sz;
c4e390
+
c4e390
+		if (grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) ||
c4e390
+		    grub_mul (sz, sizeof (node->dirents[0]), &sz) ||
c4e390
+		    grub_add (sz, sizeof (struct grub_fshelp_node) + 1, &sz) ||
c4e390
+		    grub_add (sz, grub_strlen (ctx.symlink), &sz))
c4e390
+		  goto fail_1;
c4e390
+
c4e390
+		new_node = grub_realloc (node, sz);
c4e390
 		if (!new_node)
c4e390
 		  {
c4e390
+ fail_1:
c4e390
 		    if (ctx.filename_alloc)
c4e390
 		      grub_free (ctx.filename);
c4e390
 		    grub_free (node);
c4e390
diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
c4e390
index 754cad880f5..4f68808a891 100644
c4e390
--- a/grub-core/fs/sfs.c
c4e390
+++ b/grub-core/fs/sfs.c
c4e390
@@ -26,6 +26,7 @@
c4e390
 #include <grub/types.h>
c4e390
 #include <grub/fshelp.h>
c4e390
 #include <grub/charset.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 GRUB_MOD_LICENSE ("GPLv3+");
c4e390
 
c4e390
@@ -302,10 +303,15 @@ grub_sfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
c4e390
       if (node->cache && node->cache_size >= node->cache_allocated)
c4e390
 	{
c4e390
 	  struct cache_entry *e = node->cache;
c4e390
-	  e = grub_realloc (node->cache,node->cache_allocated * 2
c4e390
-			    * sizeof (e[0]));
c4e390
+	  grub_size_t sz;
c4e390
+
c4e390
+	  if (grub_mul (node->cache_allocated, 2 * sizeof (e[0]), &sz))
c4e390
+	    goto fail;
c4e390
+
c4e390
+	  e = grub_realloc (node->cache, sz);
c4e390
 	  if (!e)
c4e390
 	    {
c4e390
+ fail:
c4e390
 	      grub_errno = 0;
c4e390
 	      grub_free (node->cache);
c4e390
 	      node->cache = 0;
c4e390
@@ -472,10 +478,16 @@ grub_sfs_create_node (struct grub_fshelp_node **node,
c4e390
   grub_size_t len = grub_strlen (name);
c4e390
   grub_uint8_t *name_u8;
c4e390
   int ret;
c4e390
+  grub_size_t sz;
c4e390
+
c4e390
+  if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) ||
c4e390
+      grub_add (sz, 1, &sz))
c4e390
+    return 1;
c4e390
+
c4e390
   *node = grub_malloc (sizeof (**node));
c4e390
   if (!*node)
c4e390
     return 1;
c4e390
-  name_u8 = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
c4e390
+  name_u8 = grub_malloc (sz);
c4e390
   if (!name_u8)
c4e390
     {
c4e390
       grub_free (*node);
c4e390
@@ -719,8 +731,13 @@ grub_sfs_label (grub_device_t device, char **label)
c4e390
   data = grub_sfs_mount (disk);
c4e390
   if (data)
c4e390
     {
c4e390
-      grub_size_t len = grub_strlen (data->label);
c4e390
-      *label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
c4e390
+      grub_size_t sz, len = grub_strlen (data->label);
c4e390
+
c4e390
+      if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) ||
c4e390
+	  grub_add (sz, 1, &sz))
c4e390
+	return GRUB_ERR_OUT_OF_RANGE;
c4e390
+
c4e390
+      *label = grub_malloc (sz);
c4e390
       if (*label)
c4e390
 	*grub_latin1_to_utf8 ((grub_uint8_t *) *label,
c4e390
 			      (const grub_uint8_t *) data->label,
c4e390
diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
c4e390
index b97b34440ed..d9d87ee35c7 100644
c4e390
--- a/grub-core/fs/squash4.c
c4e390
+++ b/grub-core/fs/squash4.c
c4e390
@@ -26,6 +26,7 @@
c4e390
 #include <grub/types.h>
c4e390
 #include <grub/fshelp.h>
c4e390
 #include <grub/deflate.h>
c4e390
+#include <grub/safemath.h>
c4e390
 #include <minilzo.h>
c4e390
 
c4e390
 #include "xz.h"
c4e390
@@ -459,7 +460,17 @@ grub_squash_read_symlink (grub_fshelp_node_t node)
c4e390
 {
c4e390
   char *ret;
c4e390
   grub_err_t err;
c4e390
-  ret = grub_malloc (grub_le_to_cpu32 (node->ino.symlink.namelen) + 1);
c4e390
+  grub_size_t sz;
c4e390
+
c4e390
+  if (grub_add (grub_le_to_cpu32 (node->ino.symlink.namelen), 1, &sz))
c4e390
+    {
c4e390
+      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
c4e390
+      return NULL;
c4e390
+    }
c4e390
+
c4e390
+  ret = grub_malloc (sz);
c4e390
+  if (!ret)
c4e390
+    return NULL;
c4e390
 
c4e390
   err = read_chunk (node->data, ret,
c4e390
 		    grub_le_to_cpu32 (node->ino.symlink.namelen),
c4e390
@@ -506,11 +517,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
c4e390
 
c4e390
   {
c4e390
     grub_fshelp_node_t node;
c4e390
-    node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
c4e390
+    grub_size_t sz;
c4e390
+
c4e390
+    if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) ||
c4e390
+	grub_add (sz, sizeof (*node), &sz))
c4e390
+      return 0;
c4e390
+
c4e390
+    node = grub_malloc (sz);
c4e390
     if (!node)
c4e390
       return 0;
c4e390
-    grub_memcpy (node, dir,
c4e390
-		 sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
c4e390
+    grub_memcpy (node, dir, sz);
c4e390
     if (hook (".", GRUB_FSHELP_DIR, node, hook_data))
c4e390
       return 1;
c4e390
 
c4e390
@@ -518,12 +534,15 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
c4e390
       {
c4e390
 	grub_err_t err;
c4e390
 
c4e390
-	node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
c4e390
+	if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) ||
c4e390
+	    grub_add (sz, sizeof (*node), &sz))
c4e390
+	  return 0;
c4e390
+
c4e390
+	node = grub_malloc (sz);
c4e390
 	if (!node)
c4e390
 	  return 0;
c4e390
 
c4e390
-	grub_memcpy (node, dir,
c4e390
-		     sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
c4e390
+	grub_memcpy (node, dir, sz);
c4e390
 
c4e390
 	node->stsize--;
c4e390
 	err = read_chunk (dir->data, &node->ino, sizeof (node->ino),
c4e390
@@ -557,6 +576,7 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
c4e390
 	  enum grub_fshelp_filetype filetype = GRUB_FSHELP_REG;
c4e390
 	  struct grub_squash_dirent di;
c4e390
 	  struct grub_squash_inode ino;
c4e390
+	  grub_size_t sz;
c4e390
 
c4e390
 	  err = read_chunk (dir->data, &di, sizeof (di),
c4e390
 			    grub_le_to_cpu64 (dir->data->sb.diroffset)
c4e390
@@ -589,13 +609,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
c4e390
 	  if (grub_le_to_cpu16 (di.type) == SQUASH_TYPE_SYMLINK)
c4e390
 	    filetype = GRUB_FSHELP_SYMLINK;
c4e390
 
c4e390
-	  node = grub_malloc (sizeof (*node)
c4e390
-			      + (dir->stsize + 1) * sizeof (dir->stack[0]));
c4e390
+	  if (grub_add (dir->stsize, 1, &sz) ||
c4e390
+	      grub_mul (sz, sizeof (dir->stack[0]), &sz) ||
c4e390
+	      grub_add (sz, sizeof (*node), &sz))
c4e390
+	    return 0;
c4e390
+
c4e390
+	  node = grub_malloc (sz);
c4e390
 	  if (! node)
c4e390
 	    return 0;
c4e390
 
c4e390
-	  grub_memcpy (node, dir,
c4e390
-		       sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
c4e390
+	  grub_memcpy (node, dir, sz - sizeof(dir->stack[0]));
c4e390
 
c4e390
 	  node->ino = ino;
c4e390
 	  node->stack[node->stsize].ino_chunk = grub_le_to_cpu32 (dh.ino_chunk);
c4e390
diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
c4e390
index 488f35a3ee5..99b001f2066 100644
c4e390
--- a/grub-core/fs/udf.c
c4e390
+++ b/grub-core/fs/udf.c
c4e390
@@ -28,6 +28,7 @@
c4e390
 #include <grub/charset.h>
c4e390
 #include <grub/datetime.h>
c4e390
 #include <grub/udf.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 GRUB_MOD_LICENSE ("GPLv3+");
c4e390
 
c4e390
@@ -853,9 +854,19 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf)
c4e390
 	utf16[i] = (raw[2 * i + 1] << 8) | raw[2*i + 2];
c4e390
     }
c4e390
   if (!outbuf)
c4e390
-    outbuf = grub_malloc (utf16len * GRUB_MAX_UTF8_PER_UTF16 + 1);
c4e390
+    {
c4e390
+      grub_size_t size;
c4e390
+
c4e390
+      if (grub_mul (utf16len, GRUB_MAX_UTF8_PER_UTF16, &size) ||
c4e390
+	  grub_add (size, 1, &size))
c4e390
+	goto fail;
c4e390
+
c4e390
+      outbuf = grub_malloc (size);
c4e390
+    }
c4e390
   if (outbuf)
c4e390
     *grub_utf16_to_utf8 ((grub_uint8_t *) outbuf, utf16, utf16len) = '\0';
c4e390
+
c4e390
+ fail:
c4e390
   grub_free (utf16);
c4e390
   return outbuf;
c4e390
 }
c4e390
@@ -949,7 +960,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
c4e390
   grub_size_t sz = U64 (node->block.fe.file_size);
c4e390
   grub_uint8_t *raw;
c4e390
   const grub_uint8_t *ptr;
c4e390
-  char *out, *optr;
c4e390
+  char *out = NULL, *optr;
c4e390
 
c4e390
   if (sz < 4)
c4e390
     return NULL;
c4e390
@@ -957,14 +968,16 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
c4e390
   if (!raw)
c4e390
     return NULL;
c4e390
   if (grub_udf_read_file (node, NULL, NULL, 0, sz, (char *) raw) < 0)
c4e390
-    {
c4e390
-      grub_free (raw);
c4e390
-      return NULL;
c4e390
-    }
c4e390
+    goto fail_1;
c4e390
 
c4e390
-  out = grub_malloc (sz * 2 + 1);
c4e390
+  if (grub_mul (sz, 2, &sz) ||
c4e390
+      grub_add (sz, 1, &sz))
c4e390
+    goto fail_0;
c4e390
+
c4e390
+  out = grub_malloc (sz);
c4e390
   if (!out)
c4e390
     {
c4e390
+ fail_0:
c4e390
       grub_free (raw);
c4e390
       return NULL;
c4e390
     }
c4e390
@@ -975,17 +988,18 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
c4e390
     {
c4e390
       grub_size_t s;
c4e390
       if ((grub_size_t) (ptr - raw + 4) > sz)
c4e390
-	goto fail;
c4e390
+	goto fail_1;
c4e390
       if (!(ptr[2] == 0 && ptr[3] == 0))
c4e390
-	goto fail;
c4e390
+	goto fail_1;
c4e390
       s = 4 + ptr[1];
c4e390
       if ((grub_size_t) (ptr - raw + s) > sz)
c4e390
-	goto fail;
c4e390
+	goto fail_1;
c4e390
       switch (*ptr)
c4e390
 	{
c4e390
 	case 1:
c4e390
 	  if (ptr[1])
c4e390
-	    goto fail;
c4e390
+	    goto fail_1;
c4e390
+	  /* Fallthrough.  */
c4e390
 	case 2:
c4e390
 	  /* in 4 bytes. out: 1 byte.  */
c4e390
 	  optr = out;
c4e390
@@ -1009,11 +1023,11 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
c4e390
 	  if (optr != out)
c4e390
 	    *optr++ = '/';
c4e390
 	  if (!read_string (ptr + 4, s - 4, optr))
c4e390
-	    goto fail;
c4e390
+	    goto fail_1;
c4e390
 	  optr += grub_strlen (optr);
c4e390
 	  break;
c4e390
 	default:
c4e390
-	  goto fail;
c4e390
+	  goto fail_1;
c4e390
 	}
c4e390
       ptr += s;
c4e390
     }
c4e390
@@ -1021,7 +1035,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
c4e390
   grub_free (raw);
c4e390
   return out;
c4e390
 
c4e390
- fail:
c4e390
+ fail_1:
c4e390
   grub_free (raw);
c4e390
   grub_free (out);
c4e390
   grub_error (GRUB_ERR_BAD_FS, "invalid symlink");
c4e390
diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
c4e390
index 852155b1bf3..c2d1a587929 100644
c4e390
--- a/grub-core/fs/xfs.c
c4e390
+++ b/grub-core/fs/xfs.c
c4e390
@@ -25,6 +25,7 @@
c4e390
 #include <grub/dl.h>
c4e390
 #include <grub/types.h>
c4e390
 #include <grub/fshelp.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 GRUB_MOD_LICENSE ("GPLv3+");
c4e390
 
c4e390
@@ -863,6 +864,7 @@ static struct grub_xfs_data *
c4e390
 grub_xfs_mount (grub_disk_t disk)
c4e390
 {
c4e390
   struct grub_xfs_data *data = 0;
c4e390
+  grub_size_t sz;
c4e390
 
c4e390
   data = grub_zalloc (sizeof (struct grub_xfs_data));
c4e390
   if (!data)
c4e390
@@ -877,10 +879,11 @@ grub_xfs_mount (grub_disk_t disk)
c4e390
   if (!grub_xfs_sb_valid(data))
c4e390
     goto fail;
c4e390
 
c4e390
-  data = grub_realloc (data,
c4e390
-		       sizeof (struct grub_xfs_data)
c4e390
-		       - sizeof (struct grub_xfs_inode)
c4e390
-		       + grub_xfs_inode_size(data) + 1);
c4e390
+  if (grub_add (grub_xfs_inode_size (data),
c4e390
+      sizeof (struct grub_xfs_data) - sizeof (struct grub_xfs_inode) + 1, &sz))
c4e390
+    goto fail;
c4e390
+
c4e390
+  data = grub_realloc (data, sz);
c4e390
 
c4e390
   if (! data)
c4e390
     goto fail;
c4e390
diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
c4e390
index 3d7351de37c..6fd21f975f5 100644
c4e390
--- a/grub-core/fs/zfs/zfs.c
c4e390
+++ b/grub-core/fs/zfs/zfs.c
c4e390
@@ -55,6 +55,7 @@
c4e390
 #include <grub/deflate.h>
c4e390
 #include <grub/crypto.h>
c4e390
 #include <grub/i18n.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 GRUB_MOD_LICENSE ("GPLv3+");
c4e390
 
c4e390
@@ -769,11 +770,14 @@ fill_vdev_info (struct grub_zfs_data *data,
c4e390
   if (data->n_devices_attached > data->n_devices_allocated)
c4e390
     {
c4e390
       void *tmp;
c4e390
-      data->n_devices_allocated = 2 * data->n_devices_attached + 1;
c4e390
-      data->devices_attached
c4e390
-	= grub_realloc (tmp = data->devices_attached,
c4e390
-			data->n_devices_allocated
c4e390
-			* sizeof (data->devices_attached[0]));
c4e390
+      grub_size_t sz;
c4e390
+
c4e390
+      if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) ||
c4e390
+	  grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) ||
c4e390
+	  grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz))
c4e390
+	return GRUB_ERR_OUT_OF_RANGE;
c4e390
+
c4e390
+      data->devices_attached = grub_realloc (tmp = data->devices_attached, sz);
c4e390
       if (!data->devices_attached)
c4e390
 	{
c4e390
 	  data->devices_attached = tmp;
c4e390
@@ -3396,14 +3400,18 @@ grub_zfs_nvlist_lookup_nvlist (const char *nvlist, const char *name)
c4e390
 {
c4e390
   char *nvpair;
c4e390
   char *ret;
c4e390
-  grub_size_t size;
c4e390
+  grub_size_t size, sz;
c4e390
   int found;
c4e390
 
c4e390
   found = nvlist_find_value (nvlist, name, DATA_TYPE_NVLIST, &nvpair,
c4e390
 			     &size, 0);
c4e390
   if (!found)
c4e390
     return 0;
c4e390
-  ret = grub_zalloc (size + 3 * sizeof (grub_uint32_t));
c4e390
+
c4e390
+  if (grub_add (size, 3 * sizeof (grub_uint32_t), &sz))
c4e390
+      return 0;
c4e390
+
c4e390
+  ret = grub_zalloc (sz);
c4e390
   if (!ret)
c4e390
     return 0;
c4e390
   grub_memcpy (ret, nvlist, sizeof (grub_uint32_t));
c4e390
diff --git a/grub-core/fs/zfs/zfscrypt.c b/grub-core/fs/zfs/zfscrypt.c
c4e390
index 88dae72efc4..6b98f3de98f 100644
c4e390
--- a/grub-core/fs/zfs/zfscrypt.c
c4e390
+++ b/grub-core/fs/zfs/zfscrypt.c
c4e390
@@ -22,6 +22,7 @@
c4e390
 #include <grub/misc.h>
c4e390
 #include <grub/disk.h>
c4e390
 #include <grub/partition.h>
c4e390
+#include <grub/safemath.h>
c4e390
 #include <grub/dl.h>
c4e390
 #include <grub/types.h>
c4e390
 #include <grub/zfs/zfs.h>
c4e390
@@ -82,9 +83,13 @@ grub_zfs_add_key (grub_uint8_t *key_in,
c4e390
 		  int passphrase)
c4e390
 {
c4e390
   struct grub_zfs_wrap_key *key;
c4e390
+  grub_size_t sz;
c4e390
+
c4e390
   if (!passphrase && keylen > 32)
c4e390
     keylen = 32;
c4e390
-  key = grub_malloc (sizeof (*key) + keylen);
c4e390
+  if (grub_add (sizeof (*key), keylen, &sz))
c4e390
+    return GRUB_ERR_OUT_OF_RANGE;
c4e390
+  key = grub_malloc (sz);
c4e390
   if (!key)
c4e390
     return grub_errno;
c4e390
   key->is_passphrase = passphrase;
c4e390
diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c
c4e390
index fd7744a6ff6..3288609a5e1 100644
c4e390
--- a/grub-core/lib/arg.c
c4e390
+++ b/grub-core/lib/arg.c
c4e390
@@ -23,6 +23,7 @@
c4e390
 #include <grub/term.h>
c4e390
 #include <grub/extcmd.h>
c4e390
 #include <grub/i18n.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 /* Built-in parser for default options.  */
c4e390
 static const struct grub_arg_option help_options[] =
c4e390
@@ -216,7 +217,13 @@ static inline grub_err_t
c4e390
 add_arg (char ***argl, int *num, char *s)
c4e390
 {
c4e390
   char **p = *argl;
c4e390
-  *argl = grub_realloc (*argl, (++(*num) + 1) * sizeof (char *));
c4e390
+  grub_size_t sz;
c4e390
+
c4e390
+  if (grub_add (++(*num), 1, &sz) ||
c4e390
+      grub_mul (sz, sizeof (char *), &sz))
c4e390
+    return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
c4e390
+
c4e390
+  *argl = grub_realloc (*argl, sz);
c4e390
   if (! *argl)
c4e390
     {
c4e390
       grub_free (p);
c4e390
@@ -431,6 +438,7 @@ grub_arg_list_alloc(grub_extcmd_t extcmd, int argc,
c4e390
   grub_size_t argcnt;
c4e390
   struct grub_arg_list *list;
c4e390
   const struct grub_arg_option *options;
c4e390
+  grub_size_t sz0, sz1;
c4e390
 
c4e390
   options = extcmd->options;
c4e390
   if (! options)
c4e390
@@ -443,7 +451,15 @@ grub_arg_list_alloc(grub_extcmd_t extcmd, int argc,
c4e390
 	argcnt += ((grub_size_t) argc + 1) / 2 + 1; /* max possible for any option */
c4e390
     }
c4e390
 
c4e390
-  list = grub_zalloc (sizeof (*list) * i + sizeof (char*) * argcnt);
c4e390
+  if (grub_mul (sizeof (*list), i, &sz0) ||
c4e390
+      grub_mul (sizeof (char *), argcnt, &sz1) ||
c4e390
+      grub_add (sz0, sz1, &sz0))
c4e390
+    {
c4e390
+      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
c4e390
+      return 0;
c4e390
+    }
c4e390
+
c4e390
+  list = grub_zalloc (sz0);
c4e390
   if (! list)
c4e390
     return 0;
c4e390
 
c4e390
diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
c4e390
index b671f59b62a..dc62800df45 100644
c4e390
--- a/grub-core/loader/i386/bsd.c
c4e390
+++ b/grub-core/loader/i386/bsd.c
c4e390
@@ -35,6 +35,7 @@
c4e390
 #include <grub/ns8250.h>
c4e390
 #include <grub/bsdlabel.h>
c4e390
 #include <grub/crypto.h>
c4e390
+#include <grub/safemath.h>
c4e390
 #ifdef GRUB_MACHINE_PCBIOS
c4e390
 #include <grub/machine/int.h>
c4e390
 #endif
c4e390
@@ -1006,11 +1007,16 @@ grub_netbsd_add_modules (void)
c4e390
   struct grub_netbsd_btinfo_modules *mods;
c4e390
   unsigned i;
c4e390
   grub_err_t err;
c4e390
+  grub_size_t sz;
c4e390
 
c4e390
   for (mod = netbsd_mods; mod; mod = mod->next)
c4e390
     modcnt++;
c4e390
 
c4e390
-  mods = grub_malloc (sizeof (*mods) + sizeof (mods->mods[0]) * modcnt);
c4e390
+  if (grub_mul (modcnt, sizeof (mods->mods[0]), &sz) ||
c4e390
+      grub_add (sz, sizeof (*mods), &sz))
c4e390
+    return GRUB_ERR_OUT_OF_RANGE;
c4e390
+
c4e390
+  mods = grub_malloc (sz);
c4e390
   if (!mods)
c4e390
     return grub_errno;
c4e390
 
c4e390
diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
c4e390
index 695a920ac44..bded12f22eb 100644
c4e390
--- a/grub-core/net/dns.c
c4e390
+++ b/grub-core/net/dns.c
c4e390
@@ -22,6 +22,7 @@
c4e390
 #include <grub/i18n.h>
c4e390
 #include <grub/err.h>
c4e390
 #include <grub/time.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 struct dns_cache_element
c4e390
 {
c4e390
@@ -51,9 +52,15 @@ grub_net_add_dns_server (const struct grub_net_network_level_address *s)
c4e390
     {
c4e390
       int na = dns_servers_alloc * 2;
c4e390
       struct grub_net_network_level_address *ns;
c4e390
+      grub_size_t sz;
c4e390
+
c4e390
       if (na < 8)
c4e390
 	na = 8;
c4e390
-      ns = grub_realloc (dns_servers, na * sizeof (ns[0]));
c4e390
+
c4e390
+      if (grub_mul (na, sizeof (ns[0]), &sz))
c4e390
+	return GRUB_ERR_OUT_OF_RANGE;
c4e390
+
c4e390
+      ns = grub_realloc (dns_servers, sz);
c4e390
       if (!ns)
c4e390
 	return grub_errno;
c4e390
       dns_servers_alloc = na;
c4e390
diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
c4e390
index 33b8b9cae79..2143ff7cd89 100644
c4e390
--- a/grub-core/normal/charset.c
c4e390
+++ b/grub-core/normal/charset.c
c4e390
@@ -48,6 +48,7 @@
c4e390
 #include <grub/unicode.h>
c4e390
 #include <grub/term.h>
c4e390
 #include <grub/normal.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 #if HAVE_FONT_SOURCE
c4e390
 #include "widthspec.h"
c4e390
@@ -464,6 +465,7 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
c4e390
 	{
c4e390
 	  struct grub_unicode_combining *n;
c4e390
 	  unsigned j;
c4e390
+	  grub_size_t sz;
c4e390
 
c4e390
 	  if (!haveout)
c4e390
 	    continue;
c4e390
@@ -477,10 +479,14 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
c4e390
 	    n = out->combining_inline;
c4e390
 	  else if (out->ncomb > (int) ARRAY_SIZE (out->combining_inline))
c4e390
 	    {
c4e390
-	      n = grub_realloc (out->combining_ptr,
c4e390
-				sizeof (n[0]) * (out->ncomb + 1));
c4e390
+	      if (grub_add (out->ncomb, 1, &sz) ||
c4e390
+		  grub_mul (sz, sizeof (n[0]), &sz))
c4e390
+		goto fail;
c4e390
+
c4e390
+	      n = grub_realloc (out->combining_ptr, sz);
c4e390
 	      if (!n)
c4e390
 		{
c4e390
+ fail:
c4e390
 		  grub_errno = GRUB_ERR_NONE;
c4e390
 		  continue;
c4e390
 		}
c4e390
diff --git a/grub-core/normal/cmdline.c b/grub-core/normal/cmdline.c
c4e390
index aa6fd85d791..7a40c9b6d4c 100644
c4e390
--- a/grub-core/normal/cmdline.c
c4e390
+++ b/grub-core/normal/cmdline.c
c4e390
@@ -28,6 +28,7 @@
c4e390
 #include <grub/env.h>
c4e390
 #include <grub/i18n.h>
c4e390
 #include <grub/charset.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 static grub_uint32_t *kill_buf;
c4e390
 
c4e390
@@ -307,12 +308,21 @@ cl_insert (struct cmdline_term *cl_terms, unsigned nterms,
c4e390
   if (len + (*llen) >= (*max_len))
c4e390
     {
c4e390
       grub_uint32_t *nbuf;
c4e390
-      (*max_len) *= 2;
c4e390
-      nbuf = grub_realloc ((*buf), sizeof (grub_uint32_t) * (*max_len));
c4e390
+      grub_size_t sz;
c4e390
+
c4e390
+      if (grub_mul (*max_len, 2, max_len) ||
c4e390
+	  grub_mul (*max_len, sizeof (grub_uint32_t), &sz))
c4e390
+	{
c4e390
+	  grub_errno = GRUB_ERR_OUT_OF_RANGE;
c4e390
+	  goto fail;
c4e390
+	}
c4e390
+
c4e390
+      nbuf = grub_realloc ((*buf), sz);
c4e390
       if (nbuf)
c4e390
 	(*buf) = nbuf;
c4e390
       else
c4e390
 	{
c4e390
+ fail:
c4e390
 	  grub_print_error ();
c4e390
 	  grub_errno = GRUB_ERR_NONE;
c4e390
 	  (*max_len) /= 2;
c4e390
diff --git a/grub-core/normal/menu_entry.c b/grub-core/normal/menu_entry.c
c4e390
index dc1ac1dd1e1..79308a719d0 100644
c4e390
--- a/grub-core/normal/menu_entry.c
c4e390
+++ b/grub-core/normal/menu_entry.c
c4e390
@@ -27,6 +27,7 @@
c4e390
 #include <grub/auth.h>
c4e390
 #include <grub/i18n.h>
c4e390
 #include <grub/charset.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 enum update_mode
c4e390
   {
c4e390
@@ -113,10 +114,19 @@ ensure_space (struct line *linep, int extra)
c4e390
 {
c4e390
   if (linep->max_len < linep->len + extra)
c4e390
     {
c4e390
-      linep->max_len = 2 * (linep->len + extra);
c4e390
-      linep->buf = grub_realloc (linep->buf, (linep->max_len + 1) * sizeof (linep->buf[0]));
c4e390
+      grub_size_t sz0, sz1;
c4e390
+
c4e390
+      if (linep->len < 0 || extra < 0 ||
c4e390
+	  grub_add ((unsigned long)linep->len, (unsigned long)extra, &sz0) ||
c4e390
+	  grub_mul (sz0, 2, &sz0) ||
c4e390
+	  grub_add (sz0, 1, &sz1) ||
c4e390
+	  grub_mul (sz1, sizeof (linep->buf[0]), &sz1))
c4e390
+	return 0;
c4e390
+
c4e390
+      linep->buf = grub_realloc (linep->buf, sz1);
c4e390
       if (! linep->buf)
c4e390
 	return 0;
c4e390
+      linep->max_len = sz0;
c4e390
     }
c4e390
 
c4e390
   return 1;
c4e390
diff --git a/grub-core/script/argv.c b/grub-core/script/argv.c
c4e390
index 217ec5d1e1b..5751fdd5708 100644
c4e390
--- a/grub-core/script/argv.c
c4e390
+++ b/grub-core/script/argv.c
c4e390
@@ -20,6 +20,7 @@
c4e390
 #include <grub/mm.h>
c4e390
 #include <grub/misc.h>
c4e390
 #include <grub/script_sh.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 /* Return nearest power of two that is >= v.  */
c4e390
 static unsigned
c4e390
@@ -81,11 +82,16 @@ int
c4e390
 grub_script_argv_next (struct grub_script_argv *argv)
c4e390
 {
c4e390
   char **p = argv->args;
c4e390
+  grub_size_t sz;
c4e390
 
c4e390
   if (argv->args && argv->argc && argv->args[argv->argc - 1] == 0)
c4e390
     return 0;
c4e390
 
c4e390
-  p = grub_realloc (p, round_up_exp ((argv->argc + 2) * sizeof (char *)));
c4e390
+  if (grub_add (argv->argc, 2, &sz) ||
c4e390
+      grub_mul (sz, sizeof (char *), &sz))
c4e390
+    return 1;
c4e390
+
c4e390
+  p = grub_realloc (p, round_up_exp (sz));
c4e390
   if (! p)
c4e390
     return 1;
c4e390
 
c4e390
@@ -105,13 +111,19 @@ grub_script_argv_append (struct grub_script_argv *argv, const char *s,
c4e390
 {
c4e390
   grub_size_t a;
c4e390
   char *p = argv->args[argv->argc - 1];
c4e390
+  grub_size_t sz;
c4e390
 
c4e390
   if (! s)
c4e390
     return 0;
c4e390
 
c4e390
   a = p ? grub_strlen (p) : 0;
c4e390
 
c4e390
-  p = grub_realloc (p, round_up_exp ((a + slen + 1) * sizeof (char)));
c4e390
+  if (grub_add (a, slen, &sz) ||
c4e390
+      grub_add (sz, 1, &sz) ||
c4e390
+      grub_mul (sz, sizeof (char), &sz))
c4e390
+    return 1;
c4e390
+
c4e390
+  p = grub_realloc (p, round_up_exp (sz));
c4e390
   if (! p)
c4e390
     return 1;
c4e390
 
c4e390
diff --git a/grub-core/script/lexer.c b/grub-core/script/lexer.c
c4e390
index 128d2382268..1c8bca0a322 100644
c4e390
--- a/grub-core/script/lexer.c
c4e390
+++ b/grub-core/script/lexer.c
c4e390
@@ -24,6 +24,7 @@
c4e390
 #include <grub/mm.h>
c4e390
 #include <grub/script_sh.h>
c4e390
 #include <grub/i18n.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 #define yytext_ptr char *
c4e390
 #include "grub_script.tab.h"
c4e390
@@ -110,10 +111,14 @@ grub_script_lexer_record (struct grub_parser_param *parser, char *str)
c4e390
       old = lexer->recording;
c4e390
       if (lexer->recordlen < len)
c4e390
 	lexer->recordlen = len;
c4e390
-      lexer->recordlen *= 2;
c4e390
+
c4e390
+      if (grub_mul (lexer->recordlen, 2, &lexer->recordlen))
c4e390
+	goto fail;
c4e390
+
c4e390
       lexer->recording = grub_realloc (lexer->recording, lexer->recordlen);
c4e390
       if (!lexer->recording)
c4e390
 	{
c4e390
+ fail:
c4e390
 	  grub_free (old);
c4e390
 	  lexer->recordpos = 0;
c4e390
 	  lexer->recordlen = 0;
c4e390
@@ -130,7 +135,7 @@ int
c4e390
 grub_script_lexer_yywrap (struct grub_parser_param *parserstate,
c4e390
 			  const char *input)
c4e390
 {
c4e390
-  grub_size_t len = 0;
c4e390
+  grub_size_t len = 0, sz;
c4e390
   char *p = 0;
c4e390
   char *line = 0;
c4e390
   YY_BUFFER_STATE buffer;
c4e390
@@ -167,12 +172,22 @@ grub_script_lexer_yywrap (struct grub_parser_param *parserstate,
c4e390
     }
c4e390
   else if (len && line[len - 1] != '\n')
c4e390
     {
c4e390
-      p = grub_realloc (line, len + 2);
c4e390
+      if (grub_add (len, 2, &sz))
c4e390
+	{
c4e390
+	  grub_free (line);
c4e390
+	  grub_script_yyerror (parserstate, N_("overflow is detected"));
c4e390
+	  return 1;
c4e390
+	}
c4e390
+
c4e390
+      p = grub_realloc (line, sz);
c4e390
       if (p)
c4e390
 	{
c4e390
 	  p[len++] = '\n';
c4e390
 	  p[len] = '\0';
c4e390
 	}
c4e390
+      else
c4e390
+	grub_free (line);
c4e390
+
c4e390
       line = p;
c4e390
     }
c4e390
 
c4e390
diff --git a/grub-core/video/bitmap.c b/grub-core/video/bitmap.c
c4e390
index b2e0315665b..6256e209a6b 100644
c4e390
--- a/grub-core/video/bitmap.c
c4e390
+++ b/grub-core/video/bitmap.c
c4e390
@@ -23,6 +23,7 @@
c4e390
 #include <grub/mm.h>
c4e390
 #include <grub/misc.h>
c4e390
 #include <grub/i18n.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 GRUB_MOD_LICENSE ("GPLv3+");
c4e390
 
c4e390
@@ -58,7 +59,7 @@ grub_video_bitmap_create (struct grub_video_bitmap **bitmap,
c4e390
                           enum grub_video_blit_format blit_format)
c4e390
 {
c4e390
   struct grub_video_mode_info *mode_info;
c4e390
-  unsigned int size;
c4e390
+  grub_size_t size;
c4e390
 
c4e390
   if (!bitmap)
c4e390
     return grub_error (GRUB_ERR_BUG, "invalid argument");
c4e390
@@ -137,19 +138,25 @@ grub_video_bitmap_create (struct grub_video_bitmap **bitmap,
c4e390
 
c4e390
   mode_info->pitch = width * mode_info->bytes_per_pixel;
c4e390
 
c4e390
-  /* Calculate size needed for the data.  */
c4e390
-  size = (width * mode_info->bytes_per_pixel) * height;
c4e390
+  /* Calculate size needed for the data. */
c4e390
+  if (grub_mul (width, mode_info->bytes_per_pixel, &size) ||
c4e390
+      grub_mul (size, height, &size))
c4e390
+    {
c4e390
+      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
c4e390
+      goto fail;
c4e390
+    }
c4e390
 
c4e390
   (*bitmap)->data = grub_zalloc (size);
c4e390
   if (! (*bitmap)->data)
c4e390
-    {
c4e390
-      grub_free (*bitmap);
c4e390
-      *bitmap = 0;
c4e390
-
c4e390
-      return grub_errno;
c4e390
-    }
c4e390
+    goto fail;
c4e390
 
c4e390
   return GRUB_ERR_NONE;
c4e390
+
c4e390
+ fail:
c4e390
+  grub_free (*bitmap);
c4e390
+  *bitmap = NULL;
c4e390
+
c4e390
+  return grub_errno;
c4e390
 }
c4e390
 
c4e390
 /* Frees all resources allocated by bitmap.  */
c4e390
diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
c4e390
index 0a1c6584dd3..39560f56fdc 100644
c4e390
--- a/grub-core/video/readers/png.c
c4e390
+++ b/grub-core/video/readers/png.c
c4e390
@@ -23,6 +23,7 @@
c4e390
 #include <grub/mm.h>
c4e390
 #include <grub/misc.h>
c4e390
 #include <grub/bufio.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 GRUB_MOD_LICENSE ("GPLv3+");
c4e390
 
c4e390
@@ -301,9 +302,17 @@ grub_png_decode_image_header (struct grub_png_data *data)
c4e390
       data->bpp <<= 1;
c4e390
 
c4e390
   data->color_bits = color_bits;
c4e390
-  data->row_bytes = data->image_width * data->bpp;
c4e390
+
c4e390
+  if (grub_mul (data->image_width, data->bpp, &data->row_bytes))
c4e390
+    return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
c4e390
+
c4e390
   if (data->color_bits <= 4)
c4e390
-    data->row_bytes = (data->image_width * data->color_bits + 7) / 8;
c4e390
+    {
c4e390
+      if (grub_mul (data->image_width, data->color_bits + 7, &data->row_bytes))
c4e390
+	return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
c4e390
+
c4e390
+      data->row_bytes >>= 3;
c4e390
+    }
c4e390
 
c4e390
 #ifndef GRUB_CPU_WORDS_BIGENDIAN
c4e390
   if (data->is_16bit || data->is_gray || data->is_palette)