[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 035/117] hfsplus: Check that the volume name length is v
From: |
Daniel Kiper |
Subject: |
[SECURITY PATCH 035/117] hfsplus: Check that the volume name length is valid |
Date: |
Tue, 2 Mar 2021 19:00:42 +0100 |
From: Darren Kenny <darren.kenny@oracle.com>
HFS+ documentation suggests that the maximum filename and volume name is
255 Unicode characters in length.
So, when converting from big-endian to little-endian, we should ensure
that the name of the volume has a length that is between 0 and 255,
inclusive.
Fixes: CID 73641
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/hfsplus.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
index 9c4e4c88c..8fe7c12ed 100644
--- a/grub-core/fs/hfsplus.c
+++ b/grub-core/fs/hfsplus.c
@@ -1012,6 +1012,15 @@ grub_hfsplus_label (grub_device_t device, char **label)
grub_hfsplus_btree_recptr (&data->catalog_tree, node, ptr);
label_len = grub_be_to_cpu16 (catkey->namelen);
+
+ /* Ensure that the length is >= 0. */
+ if (label_len < 0)
+ label_len = 0;
+
+ /* Ensure label length is at most 255 Unicode characters. */
+ if (label_len > 255)
+ label_len = 255;
+
label_name = grub_calloc (label_len, sizeof (*label_name));
if (!label_name)
{
--
2.11.0
- [SECURITY PATCH 023/117] gnulib/regexec: Resolve unused variable, (continued)
- [SECURITY PATCH 023/117] gnulib/regexec: Resolve unused variable, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 026/117] gnulib/regexec: Fix possible null-dereference, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 030/117] kern/partition: Check for NULL before dereferencing input string, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 029/117] zstd: Initialize seq_t structure fully, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 033/117] disk/ldm: Fix memory leak on uninserted lv references, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 027/117] gnulib/regcomp: Fix uninitialized re_token, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 031/117] disk/ldm: Make sure comp data is freed before exiting from make_vg(), Daniel Kiper, 2021/03/02
- [SECURITY PATCH 034/117] disk/cryptodisk: Fix potential integer overflow, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 035/117] hfsplus: Check that the volume name length is valid,
Daniel Kiper <=
- [SECURITY PATCH 036/117] zfs: Fix possible negative shift operation, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 028/117] io/lzopio: Resolve unnecessary self-assignment errors, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 039/117] zfsinfo: Correct a check for error allocating memory, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 032/117] disk/ldm: If failed then free vg variable too, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 040/117] affs: Fix memory leaks, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 038/117] zfs: Fix possible integer overflows, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 037/117] zfs: Fix resource leaks while constructing path, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 041/117] libgcrypt/mpi: Fix possible unintended sign extension, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 044/117] normal/completion: Fix leaking of memory when processing a completion, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 043/117] syslinux: Fix memory leak while parsing, Daniel Kiper, 2021/03/02