From 66baeffc0f6373be4745a8f1941c46fc5e104392 Mon Sep 17 00:00:00 2001
From: Vladimir Serbinenko <phcoder@gmail.com>
Date: Sun, 25 Jan 2015 13:33:03 +0100
Subject: [PATCH 217/506] fs/sfs: Fix error check and add sanity check.

Found by: Coverity scan.
---
 grub-core/fs/sfs.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
index 6c82150..57b8d8d 100644
--- a/grub-core/fs/sfs.c
+++ b/grub-core/fs/sfs.c
@@ -173,10 +173,11 @@ grub_sfs_read_extent (struct grub_sfs_data *data, unsigned int block,
   struct grub_sfs_btree *tree;
   int i;
   grub_uint32_t next;
+  grub_size_t blocksize = GRUB_DISK_SECTOR_SIZE << data->log_blocksize;
 
-  treeblock = grub_malloc (GRUB_DISK_SECTOR_SIZE << data->log_blocksize);
-  if (!block)
-    return 0;
+  treeblock = grub_malloc (blocksize);
+  if (!treeblock)
+    return grub_errno;
 
   next = grub_be_to_cpu32 (data->rblock.btree);
   tree = (struct grub_sfs_btree *) treeblock;
@@ -184,17 +185,21 @@ grub_sfs_read_extent (struct grub_sfs_data *data, unsigned int block,
   /* Handle this level in the btree.  */
   do
     {
+      grub_uint16_t nnodes;
       grub_disk_read (data->disk,
 		      ((grub_disk_addr_t) next) << data->log_blocksize,
-		      0, GRUB_DISK_SECTOR_SIZE << data->log_blocksize,
-		      treeblock);
+		      0, blocksize, treeblock);
       if (grub_errno)
 	{
 	  grub_free (treeblock);
 	  return grub_errno;
 	}
 
-      for (i = grub_be_to_cpu16 (tree->nodes) - 1; i >= 0; i--)
+      nnodes = grub_be_to_cpu16 (tree->nodes);
+      if (nnodes * (grub_uint32_t) (tree)->nodesize > blocksize)
+	break;
+
+      for (i = (int) nnodes - 1; i >= 0; i--)
 	{
 
 #define EXTNODE(tree, index)						\
-- 
2.4.3