Blame SOURCES/0318-hfsplus-fix-two-more-overflows.patch

c4e390
From 7bfc4727df287c0cf642cf4861c7ede073996f96 Mon Sep 17 00:00:00 2001
c4e390
From: Peter Jones <pjones@redhat.com>
c4e390
Date: Sun, 19 Jul 2020 14:43:31 -0400
c4e390
Subject: [PATCH 318/336] hfsplus: fix two more overflows
c4e390
c4e390
Both node->size and node->namelen come from the supplied filesystem,
c4e390
which may be user-supplied.  We can't trust them for the math unless we
c4e390
know they don't overflow; making sure they go through calloc() first
c4e390
will give us that.
c4e390
c4e390
Signed-off-by: Peter Jones <pjones@redhat.com>
c4e390
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
c4e390
Upstream-commit-id: b4915078903
c4e390
---
c4e390
 grub-core/fs/hfsplus.c | 11 ++++++++---
c4e390
 1 file changed, 8 insertions(+), 3 deletions(-)
c4e390
c4e390
diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
c4e390
index 05016ee98a4..2ef0b8d3fec 100644
c4e390
--- a/grub-core/fs/hfsplus.c
c4e390
+++ b/grub-core/fs/hfsplus.c
c4e390
@@ -31,6 +31,7 @@
c4e390
 #include <grub/hfs.h>
c4e390
 #include <grub/charset.h>
c4e390
 #include <grub/hfsplus.h>
c4e390
+#include <grub/safemath.h>
c4e390
 
c4e390
 GRUB_MOD_LICENSE ("GPLv3+");
c4e390
 
c4e390
@@ -469,8 +470,12 @@ grub_hfsplus_read_symlink (grub_fshelp_node_t node)
c4e390
 {
c4e390
   char *symlink;
c4e390
   grub_ssize_t numread;
c4e390
+  grub_size_t sz = node->size;
c4e390
 
c4e390
-  symlink = grub_malloc (node->size + 1);
c4e390
+  if (grub_add (sz, 1, &sz))
c4e390
+    return NULL;
c4e390
+
c4e390
+  symlink = grub_malloc (sz);
c4e390
   if (!symlink)
c4e390
     return 0;
c4e390
 
c4e390
@@ -709,8 +714,8 @@ list_nodes (void *record, void *hook_arg)
c4e390
   if (type == GRUB_FSHELP_UNKNOWN)
c4e390
     return 0;
c4e390
 
c4e390
-  filename = grub_malloc (grub_be_to_cpu16 (catkey->namelen)
c4e390
-			  * GRUB_MAX_UTF8_PER_UTF16 + 1);
c4e390
+  filename = grub_calloc (grub_be_to_cpu16 (catkey->namelen),
c4e390
+			  GRUB_MAX_UTF8_PER_UTF16 + 1);
c4e390
   if (! filename)
c4e390
     return 0;
c4e390
 
c4e390
-- 
c4e390
2.26.2
c4e390