1f5e046570
- Fix for CVE-2020-10713 (bsc#1168994) * 0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch - Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311 (bsc#1173812) * 0002-safemath-Add-some-arithmetic-primitives-that-check-f.patch * 0003-calloc-Make-sure-we-always-have-an-overflow-checking.patch * 0004-calloc-Use-calloc-at-most-places.patch * 0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch * 0006-iso9660-Don-t-leak-memory-on-realloc-failures.patch * 0007-font-Do-not-load-more-than-one-NAME-section.patch - Fix CVE-2020-15706 (bsc#1174463) * 0008-script-Remove-unused-fields-from-grub_script_functio.patch * 0009-script-Avoid-a-use-after-free-when-redefining-a-func.patch - Fix CVE-2020-15707 (bsc#1174570) * 0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch - Use overflow checking primitives where the arithmetic expression for buffer allocations may include unvalidated data - Use grub_calloc for overflow check and return NULL when it would occur * 0001-add-support-for-UEFI-network-protocols.patch * 0003-bootp-New-net_bootp6-command.patch * grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch * grub2-btrfs-09-get-default-subvolume.patch * grub2-gfxmenu-support-scrolling-menu-entry-s-text.patch * grub2-grubenv-in-btrfs-header.patch OBS-URL: https://build.opensuse.org/request/show/823469 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=358
68 lines
1.9 KiB
Diff
68 lines
1.9 KiB
Diff
From 30508bd4692d2e022eff2e7f9c4be9f8abf57977 Mon Sep 17 00:00:00 2001
|
|
From: Peter Jones <pjones@redhat.com>
|
|
Date: Sat, 4 Jul 2020 12:25:09 -0400
|
|
Subject: [PATCH 6/7] iso9660: Don't leak memory on realloc() failures
|
|
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/fs/iso9660.c | 24 ++++++++++++++++++++----
|
|
1 file changed, 20 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
|
|
index 7ba5b300b..5ec4433b8 100644
|
|
--- a/grub-core/fs/iso9660.c
|
|
+++ b/grub-core/fs/iso9660.c
|
|
@@ -533,14 +533,20 @@ add_part (struct iterate_dir_ctx *ctx,
|
|
{
|
|
int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0;
|
|
grub_size_t sz;
|
|
+ char *new;
|
|
|
|
if (grub_add (size, len2, &sz) ||
|
|
grub_add (sz, 1, &sz))
|
|
return;
|
|
|
|
- ctx->symlink = grub_realloc (ctx->symlink, sz);
|
|
- if (! ctx->symlink)
|
|
- return;
|
|
+ new = grub_realloc (ctx->symlink, sz);
|
|
+ if (!new)
|
|
+ {
|
|
+ grub_free (ctx->symlink);
|
|
+ ctx->symlink = NULL;
|
|
+ return;
|
|
+ }
|
|
+ ctx->symlink = new;
|
|
|
|
grub_memcpy (ctx->symlink + size, part, len2);
|
|
ctx->symlink[size + len2] = 0;
|
|
@@ -634,7 +640,12 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
|
|
is the length. Both are part of the `Component
|
|
Record'. */
|
|
if (ctx->symlink && !ctx->was_continue)
|
|
- add_part (ctx, "/", 1);
|
|
+ {
|
|
+ add_part (ctx, "/", 1);
|
|
+ if (grub_errno)
|
|
+ return grub_errno;
|
|
+ }
|
|
+
|
|
add_part (ctx, (char *) &entry->data[pos + 2],
|
|
entry->data[pos + 1]);
|
|
ctx->was_continue = (entry->data[pos] & 1);
|
|
@@ -653,6 +664,11 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
|
|
add_part (ctx, "/", 1);
|
|
break;
|
|
}
|
|
+
|
|
+ /* Check if grub_realloc() failed in add_part(). */
|
|
+ if (grub_errno)
|
|
+ return grub_errno;
|
|
+
|
|
/* In pos + 1 the length of the `Component Record' is
|
|
stored. */
|
|
pos += entry->data[pos + 1] + 2;
|
|
--
|
|
2.27.0
|