[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v2 2/4] fs/hfsplus: Prevent out of bound access in catalog file
|
From: |
Lidong Chen |
|
Subject: |
[PATCH v2 2/4] fs/hfsplus: Prevent out of bound access in catalog file |
|
Date: |
Wed, 3 May 2023 17:32:18 +0000 |
A corrupted hfsplus can have a catalog key that is out of range.
This can lead to out of bound access when advancing the pointer to
access catalog file info. The valid range of a catalog key is specified
in HFS Plus Technical Note TN1150.
https://developer.apple.com/library/archive/technotes/tn/tn1150.html
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
---
grub-core/fs/hfsplus.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
index 1ffebc8be..9c1f12574 100644
--- a/grub-core/fs/hfsplus.c
+++ b/grub-core/fs/hfsplus.c
@@ -87,6 +87,9 @@ struct grub_hfsplus_catfile
#define HFSPLUS_BTNODE_MINSZ (1 << 9)
#define HFSPLUS_BTNODE_MAXSZ (1 << 15)
+#define HFSPLUS_CATKEY_MIN_LEN 6
+#define HFSPLUS_CATKEY_MAX_LEN 516
+
/* Some pre-defined file IDs. */
enum
{
@@ -699,6 +702,13 @@ list_nodes (void *record, void *hook_arg)
catkey = (struct grub_hfsplus_catkey *) record;
+ if (grub_be_to_cpu16 (catkey->keylen) < HFSPLUS_CATKEY_MIN_LEN ||
+ grub_be_to_cpu16 (catkey->keylen) > HFSPLUS_CATKEY_MAX_LEN)
+ {
+ grub_error (GRUB_ERR_BAD_FS, "catalog key length is out of range");
+ return 1;
+ }
+
fileinfo =
(struct grub_hfsplus_catfile *) ((char *) record
+ grub_be_to_cpu16 (catkey->keylen)
--
2.39.1