On Thu, Apr 20, 2023 at 8:00 PM Lidong Chen <lidong.c...@oracle.com> wrote:
>
> A corrupted hfsplus can have a catalog key that is out of range.
> This can lead to out of bound access when advancing the pointer to
> access catalog file info.
Can you explain where 6 and 516 come from?
>
> Signed-off-by: Lidong Chen <lidong.c...@oracle.com>
> ---
> grub-core/fs/hfsplus.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
> index 1ffebc8be..9c1f12574 100644
> --- a/grub-core/fs/hfsplus.c
> +++ b/grub-core/fs/hfsplus.c
> @@ -87,6 +87,9 @@ struct grub_hfsplus_catfile
> #define HFSPLUS_BTNODE_MINSZ (1 << 9)
> #define HFSPLUS_BTNODE_MAXSZ (1 << 15)
>
> +#define HFSPLUS_CATKEY_MIN_LEN 6
> +#define HFSPLUS_CATKEY_MAX_LEN 516
> +
> /* Some pre-defined file IDs. */
> enum
> {
> @@ -699,6 +702,13 @@ list_nodes (void *record, void *hook_arg)
>
> catkey = (struct grub_hfsplus_catkey *) record;
>
> + if (grub_be_to_cpu16 (catkey->keylen) < HFSPLUS_CATKEY_MIN_LEN ||
> + grub_be_to_cpu16 (catkey->keylen) > HFSPLUS_CATKEY_MAX_LEN)
> + {
> + grub_error (GRUB_ERR_BAD_FS, "catalog key length is out of range");
> + return 1;
> + }
> +
> fileinfo =
> (struct grub_hfsplus_catfile *) ((char *) record
> + grub_be_to_cpu16 (catkey->keylen)
> --
> 2.39.1
>
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
--
Regards
Vladimir 'phcoder' Serbinenko
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
