grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 3/4] fs/iso9660: Avoid reading past the entry boundary

From: Lidong Chen
Subject: [PATCH 3/4] fs/iso9660: Avoid reading past the entry boundary
Date: Wed, 14 Dec 2022 18:55:04 +0000 
Added a check for the SP entry data boundary before reading it.

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
---
 grub-core/fs/iso9660.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
index 9170fa820..67aa8451c 100644
--- a/grub-core/fs/iso9660.c
+++ b/grub-core/fs/iso9660.c
@@ -408,6 +408,9 @@ set_rockridge (struct grub_iso9660_data *data)
   if (!sua_size)
     return GRUB_ERR_NONE;
 
+  if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ)
+    return grub_error (GRUB_ERR_BAD_FS, "invalid rock ridge entry size");
+
   sua = grub_malloc (sua_size);
   if (! sua)
     return grub_errno;
@@ -434,8 +437,17 @@ set_rockridge (struct grub_iso9660_data *data)
       rootnode.have_symlink = 0;
       rootnode.dirents[0] = data->voldesc.rootdir;
 
-      /* The 2nd data byte stored how many bytes are skipped every time
-        to get to the SUA (System Usage Area).  */
+      /*
+       * The 2nd data byte stored how many bytes are skipped every time
+       * to get to the SUA (System Usage Area).
+       */
+      if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ + 2 ||
+         entry->len < GRUB_ISO9660_SUSP_HEADER_SZ + 2)
+       {
+         grub_free (sua);
+         return grub_error (GRUB_ERR_BAD_FS, "corrupted rock ridge entry");
+       }
+
       data->susp_skip = entry->data[2];
       entry = (struct grub_iso9660_susp_entry *) ((char *) entry + entry->len);
 
-- 
2.35.1
reply via email to
[Prev in Thread] Current Thread [Next in Thread]