fs/hfsplus: Prevent out of bound access in catalog file

A corrupted hfsplus can have a catalog key that is out of range. This can lead to out of bound access when advancing the pointer to access catalog file info. The valid range of a catalog key is specified in HFS Plus Technical Note TN1150 [1]. [1] https://developer.apple.com/library/archive/technotes/tn/tn1150.html Signed-off-by: Lidong Chen <lidong.chen@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2026-04-28 06:33:17 +00:00 · 2023-05-03 17:32:18 +00:00
parent 3f6b129bdc
commit eb8b0aabb8
1 changed files with 10 additions and 0 deletions
--- a/grub-core/fs/hfsplus.c
+++ b/grub-core/fs/hfsplus.c
@@ -87,6 +87,9 @@ struct grub_hfsplus_catfile
 #define HFSPLUS_BTNODE_MINSZ	(1 << 9)
 #define HFSPLUS_BTNODE_MAXSZ	(1 << 15)

+#define HFSPLUS_CATKEY_MIN_LEN	6
+#define HFSPLUS_CATKEY_MAX_LEN	516
+
 /* Some pre-defined file IDs.  */
 enum
  {
@@ -702,6 +705,13 @@ list_nodes (void *record, void *hook_arg)

  catkey = (struct grub_hfsplus_catkey *) record;

+  if (grub_be_to_cpu16 (catkey->keylen) < HFSPLUS_CATKEY_MIN_LEN ||
+      grub_be_to_cpu16 (catkey->keylen) > HFSPLUS_CATKEY_MAX_LEN)
+    {
+      grub_error (GRUB_ERR_BAD_FS, "catalog key length is out of range");
+      return 1;
+    }
+
  fileinfo =
    (struct grub_hfsplus_catfile *) ((char *) record
 				     + grub_be_to_cpu16 (catkey->keylen)