From 66baeffc0f6373be4745a8f1941c46fc5e104392 Mon Sep 17 00:00:00 2001
From: Vladimir Serbinenko <phcoder@gmail.com>
Date: Sun, 25 Jan 2015 13:33:03 +0100
Subject: [PATCH 217/506] fs/sfs: Fix error check and add sanity check.
Found by: Coverity scan.
---
grub-core/fs/sfs.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
index 6c82150..57b8d8d 100644
--- a/grub-core/fs/sfs.c
+++ b/grub-core/fs/sfs.c
@@ -173,10 +173,11 @@ grub_sfs_read_extent (struct grub_sfs_data *data, unsigned int block,
struct grub_sfs_btree *tree;
int i;
grub_uint32_t next;
+ grub_size_t blocksize = GRUB_DISK_SECTOR_SIZE << data->log_blocksize;
- treeblock = grub_malloc (GRUB_DISK_SECTOR_SIZE << data->log_blocksize);
- if (!block)
- return 0;
+ treeblock = grub_malloc (blocksize);
+ if (!treeblock)
+ return grub_errno;
next = grub_be_to_cpu32 (data->rblock.btree);
tree = (struct grub_sfs_btree *) treeblock;
@@ -184,17 +185,21 @@ grub_sfs_read_extent (struct grub_sfs_data *data, unsigned int block,
/* Handle this level in the btree. */
do
{
+ grub_uint16_t nnodes;
grub_disk_read (data->disk,
((grub_disk_addr_t) next) << data->log_blocksize,
- 0, GRUB_DISK_SECTOR_SIZE << data->log_blocksize,
- treeblock);
+ 0, blocksize, treeblock);
if (grub_errno)
{
grub_free (treeblock);
return grub_errno;
}
- for (i = grub_be_to_cpu16 (tree->nodes) - 1; i >= 0; i--)
+ nnodes = grub_be_to_cpu16 (tree->nodes);
+ if (nnodes * (grub_uint32_t) (tree)->nodesize > blocksize)
+ break;
+
+ for (i = (int) nnodes - 1; i >= 0; i--)
{
#define EXTNODE(tree, index) \
--
2.4.3