summaryrefslogtreecommitdiff
path: root/poky/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-pri...
diff options
context:
space:
mode:
authorAndrew Geissler <geissonator@yahoo.com>2020-12-01 04:58:47 +0300
committerAndrew Geissler <geissonator@yahoo.com>2020-12-01 18:27:18 +0300
commit6ce62a20847b1bd500386c842cf8b801b678bd1c (patch)
tree69d169c5d109b03251c4300f39cce5a575194e6f /poky/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch
parentf31b8bdb5991e0570aeaf04a9bc50f41d55bccbe (diff)
downloadopenbmc-6ce62a20847b1bd500386c842cf8b801b678bd1c.tar.xz
poky: subtree update:7231c10430..0ac99625bf
Alban Bedel (1): systemd: Fix systemd when used with busybox less Alejandro Hernandez Samaniego (3): poky-tiny: Reduce busybox size by 13% poky-tiny: Enable size optimization by default python3: Update manifest Alexander Kamensky (1): kexec: arm64: disabled check if kaslr-seed dtb property was wiped Alexander Kanavin (128): systemd-boot: upgrade 246.2 -> 246.6 glib-2.0: upgrade 2.64.5 -> 2.66.1 cmake: update 3.18.2 -> 3.18.4 python3-pygobject: upgrade 3.36.1 -> 3.38.0 libdazzle: upgrade 3.36.0 -> 3.38.0 gobject-introspection: upgrade 1.64.1 -> 1.66.1 json-glib: upgrade 1.4.4 -> 1.6.0 ovmf: update edk2-stable202005 -> edk2-stable202008 gnu-config: update to latest revision file: enable all built-in compression checkers rpm: update 4.15.1 -> 4.16.0 elfutils: update 0.180 -> 0.181 ghostscript: update 9.52 -> 9.53.3 ltp: update 20200515 -> 20200930 gsettings-desktop-schemas: update 3.36.1 -> 3.38.0 libsecret: update 0.20.3 -> 0.20.4 mesa: update 20.1.8 -> 20.2.1 xf86-video-vesa: update 2.4.0 -> 2.5.0 lttng-modules: update 2.12.2 -> 2.12.3 webkitgtk: update 2.28.4 -> 2.30.1 dos2unix: update 7.4.1 -> 7.4.2 gnutls: update 3.16.4 -> 3.16.5 libcap: update 2.43 -> 2.44 vte: update 0.60.3 -> 0.62.1 libhandy: upgrade 0.0.13 -> 1.0.0 libportal: add a recipe epiphany: upgrade 3.36.4 -> 3.38.1 gtk-doc: upgrade 1.32 -> 1.33.0 rpm: adjust MIPS64 N32 support apt: remove host contamination with gtest opkg-utils: correct priority matching in update-alternatives libxml2: add a patch to fix python 3.9 support python: update 3.8.5 -> 3.9.0 glib-2.0: update 2.66.1 -> 2.66.2 json-glib: fix reproducibility spirv-tools: correctly set PV spirv-tools: upgrade 2019.5 -> 2020.5 glslang: fix upstream version check glslang: upgrade 8.13.3559 -> 8.13.3743 glslang: bump to a newer commit shaderc: upgrade 2019.0 -> 2020.3 vulkan: update 1.2.135 -> 1.2.154 vulkan-samples: replace vulkan-demos piglit: upgrade to latest revision acpica: upgrade 20200717 -> 20200925 adwaita-icon-theme: upgrade 3.36.1 -> 3.38.0 at-spi2-atk: upgrade 2.34.2 -> 2.38.0 at-spi2-core: upgrade 2.36.1 -> 2.38.0 bison: upgrade 3.7.2 -> 3.7.3 createrepo-c: upgrade 0.16.0 -> 0.16.1 curl: upgrade 7.72.0 -> 7.73.0 debianutils: upgrade 4.11.1 -> 4.11.2 dhcpcd: upgrade 9.2.0 -> 9.3.1 dmidecode: upgrade 3.2 -> 3.3 dnf: upgrade 4.2.23 -> 4.4.0 ethtool: upgrade 5.8 -> 5.9 expat: upgrade 2.2.9 -> 2.2.10 gcr: upgrade 3.36.0 -> 3.38.0 glib-networking: upgrade 2.64.3 -> 2.66.0 gtk+3: upgrade 3.24.22 -> 3.24.23 help2man: upgrade 1.47.15 -> 1.47.16 i2c-tools: upgrade 4.1 -> 4.2 iw: upgrade 5.8 -> 5.9 kmscube: upgrade to latest revision less: upgrade 562 -> 563 libdnf: upgrade 0.48.0 -> 0.54.2 libgudev: upgrade 233 -> 234 libinput: upgrade 1.16.1 -> 1.16.2 libuv: upgrade 1.39.0 -> 1.40.0 libva: upgrade 2.8.0 -> 2.9.0 libva-utils: update 2.8.0 -> 2.9.1 libwpe: upgrade 1.7.1 -> 1.8.0 libxkbcommon: upgrade 0.10.0 -> 1.0.1 openssh: upgrade 8.3p1 -> 8.4p1 openssl: upgrade 1.1.1g -> 1.1.1h strace: upgrade 5.8 -> 5.9 sudo: upgrade 1.9.3 -> 1.9.3p1 vala: upgrade 0.48.9 -> 0.50.1 wpebackend-fdo: upgrade 1.7.1 -> 1.8.0 xkeyboard-config: upgrade 2.30 -> 2.31 u-boot: upgrade 2020.07 -> 2020.10 usbutils: upgrade 012 -> 013 nfs-utils: upgrade 2.5.1 -> 2.5.2 dropbear: upgrade 2020.80 -> 2020.81 btrfs-tools: upgrade 5.7 -> 5.9 git: upgrade 2.28.0 -> 2.29.2 go: upgrade 1.15.2 -> 1.15.3 mtools: upgrade 4.0.24 -> 4.0.25 python3-numpy: upgrade 1.19.1 -> 1.19.3 python3-git: upgrade 3.1.7 -> 3.1.11 python3-pyelftools: upgrade 0.26 -> 0.27 python3-pygments: upgrade 2.6.1 -> 2.7.2 python3-setuptools: upgrade 49.6.0 -> 50.3.2 asciidoc: upgrade 9.0.2 -> 9.0.4 iptables: upgrade 1.8.5 -> 1.8.6 libsolv: upgrade 0.7.14 -> 0.7.16 stress-ng: upgrade 0.11.21 -> 0.11.23 libhandy: upgrade 1.0.0 -> 1.0.1 freetype: upgrade 2.10.2 -> 2.10.4 linux-firmware: upgrade 20200817 -> 20201022 alsa: upgrade 1.2.3 -> 1.2.4 gstreamer1.0: upgrade 1.18.0 -> 1.18.1 x264: upgrade to latest revision rt-tests/hwlatdetect: upgrade 1.8 -> 1.9 webkitgtk: upgrade 2.30.1 -> 2.30.2 diffoscope: upgrade 160 -> 161 enchant2: upgrade 2.2.9 -> 2.2.12 libassuan: upgrade 2.5.3 -> 2.5.4 libcap-ng: upgrade 0.7.11 -> 0.8 libevdev: upgrade 1.9.1 -> 1.10.0 libgcrypt: upgrade 1.8.6 -> 1.8.7 libmpc: upgrade 1.2.0 -> 1.2.1 libsoup-2.4: upgrade 2.70.0 -> 2.72.0 numactl: upgrade 2.0.13 -> 2.0.14 kea: use odd-even version scheme for updates mesa: fix a build race clutter-gst-3.0: do not call out to host gstreamer plugin scanner conf-notes.txt: mention more important images than just sato weston-init: correctly start under systemd weston-init: fall back to fbdev under x32 wayland-utils: introduce a recipe poky/conf-notes.txt: mention more important images than just sato python3: split python target configuration into own class python3-pycairo: use python3targetconfig distutils3-base.bbclass: use python3targetconfig meta: drop _PYTHON_SYSCONFIGDATA_NAME hacks gpgme: use python3targetconfig bitbake: lib/bb/fetch2/__init__.py: drop _PYTHON_SYSCONFIGDATA_NAME unsetting Alexander Vickberg (1): socat: make building with OpenSSL support optional Alistair (1): weston-init: Fix incorrect idle-time setting Andrej Valek (1): autotools: CONFIG_SHELL defaults Andrey Zhizhikin (1): insane: add GitLab /archive/ tests Anibal Limon (1): recipes-graphics: libxkbcommon disable build of libxkbregistry Anuj Mittal (2): glib-2.0: RDEPEND on dbusmock only when GI_DATA_ENABLED is True distutils-common-base: fix LINKSHARED expansion Bruce Ashfield (17): kernel: provide module.lds for out of tree builds in v5.10+ linux-yocto/5.8: update to v5.8.15 linux-yocto/5.4: update to v5.4.71 linux-yocto/5.8: update to v5.8.16 linux-yocto/5.4: update to v5.4.72 linux-yocto/5.8: update to v5.8.17 linux-yocto/5.4: update to v5.4.73 linux-yocto-dev: move to v5.10-rc linux-yocto/5.4: config cleanup / warnings linux-yocto/5.8: config cleanup / warnings linux-yocto/5.8: update to v5.8.18 linux-yocto/5.4: update to v5.4.75 kernel: relocate copy of module.lds to module compilation task linux-yocto/5.4: perf: Alias SYS_futex with SYS_futex_time64 on 32-bit arches with 64bit time_t linux-yocto/5.8: perf: Alias SYS_futex with SYS_futex_time64 on 32-bit arches with 64bit time_t linux-yocto/5.8: ext4/tipc warning fixups linux-yocto/5.4: update to v5.4.78 Chaitanya Vadrevu (1): isoimage-isohybrid.py: Support adding files/dirs Changqing Li (2): timezone: upgrade to 2020d vulkan-samples: fix do_compile failure Chee Yang Lee (2): bluez5: update to 5.55 ruby: update to 2.7.2 Chris Laplante (4): bitbake: main: extract creation of argument parser into function so it can be utilized externally, e.g. by unit tests bitbake: bb.ui: delete __init__.py to make bb.ui a namespace package bitbake: cookerdata: tweak to avoid mutable default argument cases/bbtests.py: ensure PACKAGE_CLASSES is set to RPM for bbtests.BitbakeTests.test_force_task_1 Dan Callaghan (1): gdb: add PACKAGECONFIG for xz (lzma) compression support Denys Dmytriyenko (1): grep: upgrade 3.4 -> 3.5 Denys Zagorui (1): binutils: reproducibility: reuse debug-prefix-map for stabs Federico Pellegrin (1): openssl: Add c_rehash to misc package and add perl runtime dependency Fedor Ross (2): sysvinit: remove bashism to be compatible with dash eudev: remove bashism to be compatible with dash Fredrik Gustafsson (1): package management: Allow dynamic loading of PM Gratian Crisan (1): kernel-module-split.bbclass: identify kernel modconf files as configuration files He Zhe (1): lttng-modules: Backport a patch to fix btrfs build failure Hombourger, Cedric (1): bitbake: fetch2: use relative symlinks for anything pulled from PREMIRRORS Hongxu Jia (1): bitbake: Revert "bb.ui: delete __init__.py to make bb.ui a namespace package" INC@Cisco) (1): kernel-devsrc: improve reproducibility for arm64 Jason Wessel (2): base-files/profile: Add universal resize function systemd-serialgetty: Switch to TERM=linux Jose Quaresma (31): spirv-tools: import from meta-oe to OE core spirv-tools: enable native build and install more header files glslang: add receipe shaderc: add receipe spirv-tools: fix identation and cleanup install append maintainers.inc: Add Jose Quaresma gstreamer1.0: Fix reproducibility issue around libcap gstreamer1.0: upgrade to version 1.18.0 gstreamer1.0-plugins-base: upgrade to version 1.18.0 gstreamer1.0-plugins-base: add new meson option as PACKAGECONFIG gstreamer1.0-plugins-good: upgrade to version 1.18.0 gstreamer1.0-plugins-good: disable new meson options gstreamer1.0-plugins-good: add new meson option as PACKAGECONFIG gstreamer1.0-plugins-bad: upgrade to version 1.18.0 gstreamer1.0-plugins-bad: disable new meson options gstreamer1.0-plugins-bad: add new meson options as PACKAGECONFIG gstreamer1.0-plugins-ugly: upgrade to version 1.18.0 gstreamer1.0-python: upgrade to version 1.18.0 gstreamer1.0-python: install append is not need any more gstreamer1.0-rtsp-server: upgrade to version 1.18.0 gstreamer1.0-vaapi: upgrade to version 1.18.0 gst-examples: upgrade to version 1.18.0 gstreamer1.0-omx: upgrade to version 1.18.0 gstreamer1.0-libav: upgrade to version 1.18.0 gst-devtools: add version 1.18.0 (gst-validate -> gst-devtools) orc: Upgrade 0.4.31 -> 0.4.32 gstreamer1.0-plugins-good: on wayland qt5 needs qtwayland gstreamer1.0-libav: add comercial license flags as ffmpeg needs this gstreamer1.0-plugins-bad: add srt package config knob ffmpeg: add srt package config knob gstreamer1.0-plugins-good: add package config knob for the Raspberry Pi Joseph Reynolds (1): add new extrausers command passwd-expire Joshua Watt (8): documentation: Add Pipenv support systemd: Re-enable chvt as non-root user without polkit python3-pycryptodomex: upgrade 3.9.8 -> 3.9.9 weston-init: Stop running weston as root python3-pycryptodome: upgrade 3.9.8 -> 3.9.9 bitbake: bitbake: hashserve: Add async client bitbake: bitbake: hashserve: Add support for readonly upstream bitbake: bitbake: cache: Remove bad keys() function Kai Kang (1): sudo: fix multilib conflict Khasim Mohammed (1): grub: add grub-nativesdk Khem Raj (34): webkitgtk: Disable gold linker and JIT on riscv init-ifupdown: Define interfaces file for riscv emulators init-ifupdown: Merge all interface files for differnet qemus musl: Update to latest master qemuboot.bbclass: Fix a typo musl: Add .file directive in crt assembly files musl: Update to latest rpm: Fix error.h handing properly on musl gdb: Update to 10.x release numactl: Link with libatomic on rv64/rv32 gstreamer: Fix build on 32bit arches with 64bit time_t rt-tests: Enable only for x86/ppc64 architectures lto: Add global LTO distro policy file python3: Enable lto if its in DISTRO_FEATURES lto.inc: Add -ffat-lto-objects and -fuse-linker-plugin lto: Introduce LTOEXTRA variable libaio: Disable LTO weston: Fix linking with LTO lto.inc: Disable LTO for xserver-xorg gcc: Do no parameterize LTO configuration flags puzzles: Check for excessive constant arguments lto.inc: Disable LTO for perf gcc: Handle duplicate names for variables musl: Update to latest master lrzsz: Use Cross AR during compile gawk: Avoid using host ar during cross compile lto.inc: Disable LTO for webkit python-numpy: Add support for riscv32 arch-riscv: Enable qemu-usermode on rv32 python3targetconfig.bbclass: Make py3 dep and tasks only for target recipes go: Update to 1.15.5 binutils: Fix linker errors on chromium/ffmpeg on aarch64 python3-numpy: Upgrade to 1.19.4 python3-numpy: Add ptest Konrad Weihmann (3): oeqa/core/context: expose results as variable oeqa/core/context: initialize _run_end_time testimage: print results for interrupted runs Lee Chee Yang (5): bitbake: BBHandler: prompt error when task name contain expression libproxy: fix CVE-2020-26154 python3: fix CVE-2020-27619 python3: whitelist CVE-2020-15523 qemu: fix CVE-2020-24352 Loic Domaigne (1): roofs_*.bbclass: fix missing vardeps for do_rootfs Luca Boccassi (1): dbus: split -common and -tools out of main package Mark Jonas (4): libsdl2: Fix directfb syntax error libsdl2: Fix directfb SDL_RenderFillRect libbsd: Remove BSD-4-Clause from main package libsdl2: Add directfb to PACKAGECONFIG rdepends Martin Jansa (5): tune-arm9tdmi.inc: include arm9tdmi in PACKAGE_ARCHS gnutls: explicitly set --with-librt-prefix webkitgtk: fix opengl PACKAGECONFIG webkitgtk: fix build with x11 enabled weston: add pam to REQUIRED_DISTRO_FEATURES Matt Madison (1): layer.conf: fix syntax error in PATH setting Max Krummenacher (1): linux-firmware: rdepend on license for all nvidia packages Maxime Roussin-BĂ©langer (3): meta: fix some unresponsive homepages and bugtracker links bitbake: cache: remove unused variables. bitbake: monitordisk: remove unused function parameter Mert Kirpici (2): bitbake: fetch2: add zstd support to unpack bitbake: doc/conf.py: add missing import sys Mingli Yu (2): bitbake.conf: Exclude ${CCACHE_DIR} from pseudo database update_udev_hwdb: clean hwdb.bin Nathan Rossi (4): vim: add nativesdk to BBCLASSEXTEND rsync: add nativesdk to BBCLASSEXTEND diffstat: add nativesdk to BBCLASSEXTEND cml1.bbclass: Handle ncurses-native being available via pkg-config Nicolas Dechesne (17): conf: update for release 3.2 poky.yaml: remove unused variables poky.yaml: updates for 3.2 sphinx: releases: add link to 3.1.3 what-i-wish-id-known: replace labels with references to section title sdk-manual: replace labels with references to section title ref-manual: replace labels with references to section title dev-manual: replace labels with references to section title kernel-dev: replace labels with references to section title test-manual: remove unused labels bsp-guide: remove unused labels kernel-dev: remove unused labels profile-manual: remove unused labels sdk-manual: remove unused labels toaster-manual: remove unused labels Makefile: enable parallel build bitbake: docs: Makefile: enable parallel build Norbert Kaminski (1): grub: Add support for RISC-V Paul Barker (11): conf.py: Improve TOC and Outline depth in PDF output conf.py: Add oe_git directive documentation/README: Refer to top-level README for contributions dev-manual-common-tasks: Fix refs to testing branches dev-manual-common-tasks: Update & move patchwork reference dev-manual-common-tasks: Tidy up patch submission process dev-manual-common-tasks: Describe git-send-email accurately dev-manual-common-tasks: Describe how to handle patch feedback dev-manual-common-tasks: Describe how to propose changes to stable branches dev-manual-common-tasks: Re-order patch submission instructions poky.yaml: Define DISTRO_NAME_NO_CAP_LTS Paul Eggleton (10): ref-manual: add reference anchors for each QA check ref-manual: fix for features_check class change ref-manual: QA check updates ref-manual: add PSEUDO_IGNORE_PATHS ref-manual: add IMAGE_VERSION_SUFFIX variable ref-manual: add IMAGE_NAME_SUFFIX variable ref-manual: add migration section for 3.2 ref-manual: add IMAGE_LINK_NAME ref-manual: add migration info for image-artifact-names ref-manual: add migration info about MLPREFIX changes Peter Bergin (2): rt-tests: backport patch that enable build for all archs Revert "rt-tests: Enable only for x86/ppc64 architectures" Purushottam choudhary (1): systemd: selinux hook handling to enumerate nexthop Randy MacLeod (1): libsdl2: Disable video-rpi Randy Witt (4): numactl: Add the recipe for numactl numactl: Remove COMPATIBLE_HOST restrictions numactl: Skip the ptests when numa is not supported rt-tests: Update recipes to use 1.8 Ricardo Salveti (1): dosfstools: add mkfs.vfat to ALTERNATIVE Richard Leitner (4): deb: replace deprecated apt force-yes argument xcb-proto: update to 1.14.1 deb: export INTERCEPT_DIR for remove actions weston-init: introduce WESTON_GROUP Richard Purdie (21): ref-manual/faq: Add entry for why binaries are changed in images dev-manual: Add a note about prelink changing prebuild binaries sstatesig: Log timestamps for hashequiv in reprodubile builds for do_package netbase: Add whitespace to purge bogus hash equivalence from autobuilder scripts/buildhistory_analysis: Avoid tracebacks from file comparision code maintainers: Add myself as numactl maintainer to avoid QA errors bitbake: bitbake: Post release version bump poky.conf: Post release version bump libxcb: Fix install file owner/group bitbake: siggen: Remove broken optimisation bitbake: fetch2/git: Document that we won't support passwords in git urls sstatesig: Remove workaround for bitbake taskhash bug ptest-runner: Fix license as it contains 'or later' clause libdnf: Fix license as it contains 'or later' clause alsa-utils: Fix license to GPLv2 only overview-manual-concepts: Fix the compiler bootstrap process bitbake: Add missing documentation Makefile oeqa/commands: Fix compatibility with python 3.9 fs-perms: Ensure /usr/src/debug/ file modes are correct e2fsprogs: Fix a ptest permissions determinism issue uninative: Don't use single sstate for pseudo-native Robert P. J. Day (3): ref-manual/ref-variables: "PACKAGE_FEEDS_ARCHS" -> "PACKAGE_FEED_ARCHS" README: "yocto-project-qs" -> "brief-yoctoprojectqs" adt-manual: delete obsolete ADT manual, and related content Ross Burton (13): rpm: use libgcrypt instead of OpenSSL for cryptography syslinux: add link to upstream discussion in patch json-glib: use PACKAGECONFIG for tests json-glib: update patch status libical: backport a patch to fix build with ICU 68.1 webkitgtk: fix build with ICU 68.1 cve-check: show real PN/PV python3: add CVE-2007-4559 to whitelist sqlite3: add CVE-2015-3717 to whitelist gstreamer1.0-rtsp-server: set CVE_PRODUCT gstreamer1.0-plugins-base: set CVE_PRODUCT bitbake: providers: selected version not available should be a warning cve-update-db-native: handle all-wildcard versions Saul Wold (1): classes/buildhistory: record LICENSE Sinan Kaya (2): volatile-binds: add /srv to mount and install kernel-uboot: allow compression option to be configurable Stacy Gaikovaia (1): valgrind: helgrind: Intercept libc functions Steve Sakoman (3): netbase: update SRC_URI to reflect new file name openssh: whitelist CVE-2014-9278 cups: whitelist CVE-2018-6553 Tim Orling (22): python3-atomicwrites: move from meta-python python3-attrs: move from meta-python python3-iniconfig: move from meta-python python3-more-itertools: move from meta-python python3-pathlib2: move from meta-python python3-toml: move from meta-python python3-py: move from meta-python python3-setuptools-scm: move from meta-python python3-packaging: move from meta-python python3-wcwidth: move from meta-python python3-zipp: move from meta-python python3-importlib-metadata: move from meta-python python3-pluggy: move from meta-python python3-pytest: move from meta-python maintainers.inc: add self for new pytest packages python3-more-itertools: upgrade 8.5.0 -> 8.6.0 python3-importlib-metadata: upgrade 2.0.0 to 3.1.0 python3-pytest: RDEPENDS on python3-toml python3-hypothesis: move from meta-python python3-sortedcontainers: move from meta-python maintainers.inc: add self for new python recipes python3-hypothesis: upgrade 5.41.3 -> 5.41.4 Tom Hochstein (1): mesa: Add xcb-fixes to loader when using x11 and dri3 Vyacheslav Yurkov (1): license_image.bbclass: use canonical name for license files Wonmin Jung (1): kernel: Set proper LD in KERNEL_KCONFIG_COMMAND Yann Dirson (6): systemtap: split examples and python scripts out of main package systemtap: remove extra dependencies systemtap: clarify the relation between exporter and python3-probes feature systemtap: fix install when python3-probes is disabled in PACKAGECONFIG systemtap: split runtime material in its own package systemtap: avoid RDEPENDS on python3-core when not using python3 Yann E. MORIN (2): common-licenses: add bzip2-1.0.4 recipes-core/busybox: fixup licensing information Yi Zhao (5): resolvconf: do not install dhclient hooks connman: set service to conflict with systemd-networkd pulseaudio: unify volatiles file name dhcpcd: install dhcpcd to /sbin rather than /usr/sbin dhcpcd: upgrade 9.3.1 -> 9.3.2 Yongxin Liu (2): grub: fix several CVEs in grub 2.04 grub: clean up CVE patches zangrc (18): python3-pycairo: upgrade 1.19.1 -> 1.20.0 iproute2: upgrade 5.8.0 -> 5.9.0 icu: upgrade 67.1 -> 68.1 libdnf: upgrade 0.54.2 -> 0.55.0 libinput: upgrade 1.16.2 -> 1.16.3 enchant2: upgrade 2.2.12 -> 2.2.13 libdrm: upgrade 2.4.102 -> 2.4.103 gmp: upgrade 6.2.0 -> 6.2.1 gpgme: upgrade 1.14.0 -> 1.15.0 libunwind: upgrade 1.4.0 -> 1.5.0 msmtp: upgrade 1.8.12 -> 1.8.13 gtk-doc: upgrade 1.33.0 -> 1.33.1 hdparm: upgrade 9.58 -> 9.60 libcap-ng: upgrade 0.8 -> 0.8.1 libjpeg-turbo: upgrade 2.0.5 -> 2.0.6 libxkbcommon: upgrade 1.0.1 -> 1.0.3 pulseaudio: upgrade 13.0 -> 14.0 wireless-regdb: upgrade 2020.04.29 -> 2020.11.20 Signed-off-by: Andrew Geissler <geissonator@yahoo.com> Change-Id: I22fa6c7160be5ff2105113cc63acc25f8977ae4e
Diffstat (limited to 'poky/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch')
-rw-r--r--poky/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch1330
1 files changed, 1330 insertions, 0 deletions
diff --git a/poky/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch b/poky/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch
new file mode 100644
index 000000000..896a2145d
--- /dev/null
+++ b/poky/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch
@@ -0,0 +1,1330 @@
+From eb77d1ef65e25746acff43545f62a71360b15eec Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 15 Jun 2020 12:28:27 -0400
+Subject: [PATCH 6/9] malloc: Use overflow checking primitives where we do
+ complex allocations
+
+This attempts to fix the places where we do the following where
+arithmetic_expr may include unvalidated data:
+
+ X = grub_malloc(arithmetic_expr);
+
+It accomplishes this by doing the arithmetic ahead of time using grub_add(),
+grub_sub(), grub_mul() and testing for overflow before proceeding.
+
+Among other issues, this fixes:
+ - allocation of integer overflow in grub_video_bitmap_create()
+ reported by Chris Coulson,
+ - allocation of integer overflow in grub_png_decode_image_header()
+ reported by Chris Coulson,
+ - allocation of integer overflow in grub_squash_read_symlink()
+ reported by Chris Coulson,
+ - allocation of integer overflow in grub_ext2_read_symlink()
+ reported by Chris Coulson,
+ - allocation of integer overflow in read_section_as_string()
+ reported by Chris Coulson.
+
+Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3f05d693d1274965ffbe4ba99080dc2c570944c6
+
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/commands/legacycfg.c | 29 +++++++++++++++++++-----
+ grub-core/commands/wildcard.c | 36 ++++++++++++++++++++++++-----
+ grub-core/disk/ldm.c | 32 ++++++++++++++++++--------
+ grub-core/font/font.c | 7 +++++-
+ grub-core/fs/btrfs.c | 28 +++++++++++++++--------
+ grub-core/fs/ext2.c | 10 ++++++++-
+ grub-core/fs/iso9660.c | 51 +++++++++++++++++++++++++++++-------------
+ grub-core/fs/sfs.c | 27 +++++++++++++++++-----
+ grub-core/fs/squash4.c | 45 ++++++++++++++++++++++++++++---------
+ grub-core/fs/udf.c | 41 +++++++++++++++++++++------------
+ grub-core/fs/xfs.c | 11 +++++----
+ grub-core/fs/zfs/zfs.c | 22 ++++++++++++------
+ grub-core/fs/zfs/zfscrypt.c | 7 +++++-
+ grub-core/lib/arg.c | 20 +++++++++++++++--
+ grub-core/loader/i386/bsd.c | 8 ++++++-
+ grub-core/net/dns.c | 9 +++++++-
+ grub-core/normal/charset.c | 10 +++++++--
+ grub-core/normal/cmdline.c | 14 ++++++++++--
+ grub-core/normal/menu_entry.c | 13 +++++++++--
+ grub-core/script/argv.c | 16 +++++++++++--
+ grub-core/script/lexer.c | 21 ++++++++++++++---
+ grub-core/video/bitmap.c | 25 +++++++++++++--------
+ grub-core/video/readers/png.c | 13 +++++++++--
+ 23 files changed, 382 insertions(+), 113 deletions(-)
+
+diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c
+index 5e3ec0d..cc5971f 100644
+--- a/grub-core/commands/legacycfg.c
++++ b/grub-core/commands/legacycfg.c
+@@ -32,6 +32,7 @@
+ #include <grub/auth.h>
+ #include <grub/disk.h>
+ #include <grub/partition.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -104,13 +105,22 @@ legacy_file (const char *filename)
+ if (newsuffix)
+ {
+ char *t;
+-
++ grub_size_t sz;
++
++ if (grub_add (grub_strlen (suffix), grub_strlen (newsuffix), &sz) ||
++ grub_add (sz, 1, &sz))
++ {
++ grub_errno = GRUB_ERR_OUT_OF_RANGE;
++ goto fail_0;
++ }
++
+ t = suffix;
+- suffix = grub_realloc (suffix, grub_strlen (suffix)
+- + grub_strlen (newsuffix) + 1);
++ suffix = grub_realloc (suffix, sz);
+ if (!suffix)
+ {
+ grub_free (t);
++
++ fail_0:
+ grub_free (entrysrc);
+ grub_free (parsed);
+ grub_free (newsuffix);
+@@ -154,13 +164,22 @@ legacy_file (const char *filename)
+ else
+ {
+ char *t;
++ grub_size_t sz;
++
++ if (grub_add (grub_strlen (entrysrc), grub_strlen (parsed), &sz) ||
++ grub_add (sz, 1, &sz))
++ {
++ grub_errno = GRUB_ERR_OUT_OF_RANGE;
++ goto fail_1;
++ }
+
+ t = entrysrc;
+- entrysrc = grub_realloc (entrysrc, grub_strlen (entrysrc)
+- + grub_strlen (parsed) + 1);
++ entrysrc = grub_realloc (entrysrc, sz);
+ if (!entrysrc)
+ {
+ grub_free (t);
++
++ fail_1:
+ grub_free (parsed);
+ grub_free (suffix);
+ return grub_errno;
+diff --git a/grub-core/commands/wildcard.c b/grub-core/commands/wildcard.c
+index 4a106ca..cc32903 100644
+--- a/grub-core/commands/wildcard.c
++++ b/grub-core/commands/wildcard.c
+@@ -23,6 +23,7 @@
+ #include <grub/file.h>
+ #include <grub/device.h>
+ #include <grub/script_sh.h>
++#include <grub/safemath.h>
+
+ #include <regex.h>
+
+@@ -48,6 +49,7 @@ merge (char **dest, char **ps)
+ int i;
+ int j;
+ char **p;
++ grub_size_t sz;
+
+ if (! dest)
+ return ps;
+@@ -60,7 +62,12 @@ merge (char **dest, char **ps)
+ for (j = 0; ps[j]; j++)
+ ;
+
+- p = grub_realloc (dest, sizeof (char*) * (i + j + 1));
++ if (grub_add (i, j, &sz) ||
++ grub_add (sz, 1, &sz) ||
++ grub_mul (sz, sizeof (char *), &sz))
++ return dest;
++
++ p = grub_realloc (dest, sz);
+ if (! p)
+ {
+ grub_free (dest);
+@@ -115,8 +122,15 @@ make_regex (const char *start, const char *end, regex_t *regexp)
+ char ch;
+ int i = 0;
+ unsigned len = end - start;
+- char *buffer = grub_malloc (len * 2 + 2 + 1); /* worst case size. */
++ char *buffer;
++ grub_size_t sz;
+
++ /* Worst case size is (len * 2 + 2 + 1). */
++ if (grub_mul (len, 2, &sz) ||
++ grub_add (sz, 3, &sz))
++ return 1;
++
++ buffer = grub_malloc (sz);
+ if (! buffer)
+ return 1;
+
+@@ -226,6 +240,7 @@ match_devices_iter (const char *name, void *data)
+ struct match_devices_ctx *ctx = data;
+ char **t;
+ char *buffer;
++ grub_size_t sz;
+
+ /* skip partitions if asked to. */
+ if (ctx->noparts && grub_strchr (name, ','))
+@@ -239,11 +254,16 @@ match_devices_iter (const char *name, void *data)
+ if (regexec (ctx->regexp, buffer, 0, 0, 0))
+ {
+ grub_dprintf ("expand", "not matched\n");
++ fail:
+ grub_free (buffer);
+ return 0;
+ }
+
+- t = grub_realloc (ctx->devs, sizeof (char*) * (ctx->ndev + 2));
++ if (grub_add (ctx->ndev, 2, &sz) ||
++ grub_mul (sz, sizeof (char *), &sz))
++ goto fail;
++
++ t = grub_realloc (ctx->devs, sz);
+ if (! t)
+ {
+ grub_free (buffer);
+@@ -300,6 +320,7 @@ match_files_iter (const char *name,
+ struct match_files_ctx *ctx = data;
+ char **t;
+ char *buffer;
++ grub_size_t sz;
+
+ /* skip . and .. names */
+ if (grub_strcmp(".", name) == 0 || grub_strcmp("..", name) == 0)
+@@ -315,9 +336,14 @@ match_files_iter (const char *name,
+ if (! buffer)
+ return 1;
+
+- t = grub_realloc (ctx->files, sizeof (char*) * (ctx->nfile + 2));
+- if (! t)
++ if (grub_add (ctx->nfile, 2, &sz) ||
++ grub_mul (sz, sizeof (char *), &sz))
++ goto fail;
++
++ t = grub_realloc (ctx->files, sz);
++ if (!t)
+ {
++ fail:
+ grub_free (buffer);
+ return 1;
+ }
+diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
+index e632370..58f8a53 100644
+--- a/grub-core/disk/ldm.c
++++ b/grub-core/disk/ldm.c
+@@ -25,6 +25,7 @@
+ #include <grub/msdos_partition.h>
+ #include <grub/gpt_partition.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+
+ #ifdef GRUB_UTIL
+ #include <grub/emu/misc.h>
+@@ -289,6 +290,7 @@ make_vg (grub_disk_t disk,
+ struct grub_ldm_vblk vblk[GRUB_DISK_SECTOR_SIZE
+ / sizeof (struct grub_ldm_vblk)];
+ unsigned i;
++ grub_size_t sz;
+ err = grub_disk_read (disk, cursec, 0,
+ sizeof(vblk), &vblk);
+ if (err)
+@@ -350,7 +352,13 @@ make_vg (grub_disk_t disk,
+ grub_free (lv);
+ goto fail2;
+ }
+- lv->name = grub_malloc (*ptr + 1);
++ if (grub_add (*ptr, 1, &sz))
++ {
++ grub_free (lv->internal_id);
++ grub_free (lv);
++ goto fail2;
++ }
++ lv->name = grub_malloc (sz);
+ if (!lv->name)
+ {
+ grub_free (lv->internal_id);
+@@ -599,10 +607,13 @@ make_vg (grub_disk_t disk,
+ if (lv->segments->node_alloc == lv->segments->node_count)
+ {
+ void *t;
+- lv->segments->node_alloc *= 2;
+- t = grub_realloc (lv->segments->nodes,
+- sizeof (*lv->segments->nodes)
+- * lv->segments->node_alloc);
++ grub_size_t sz;
++
++ if (grub_mul (lv->segments->node_alloc, 2, &lv->segments->node_alloc) ||
++ grub_mul (lv->segments->node_alloc, sizeof (*lv->segments->nodes), &sz))
++ goto fail2;
++
++ t = grub_realloc (lv->segments->nodes, sz);
+ if (!t)
+ goto fail2;
+ lv->segments->nodes = t;
+@@ -723,10 +734,13 @@ make_vg (grub_disk_t disk,
+ if (comp->segment_alloc == comp->segment_count)
+ {
+ void *t;
+- comp->segment_alloc *= 2;
+- t = grub_realloc (comp->segments,
+- comp->segment_alloc
+- * sizeof (*comp->segments));
++ grub_size_t sz;
++
++ if (grub_mul (comp->segment_alloc, 2, &comp->segment_alloc) ||
++ grub_mul (comp->segment_alloc, sizeof (*comp->segments), &sz))
++ goto fail2;
++
++ t = grub_realloc (comp->segments, sz);
+ if (!t)
+ goto fail2;
+ comp->segments = t;
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 8e118b3..5edb477 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -30,6 +30,7 @@
+ #include <grub/unicode.h>
+ #include <grub/fontformat.h>
+ #include <grub/env.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -360,9 +361,13 @@ static char *
+ read_section_as_string (struct font_file_section *section)
+ {
+ char *str;
++ grub_size_t sz;
+ grub_ssize_t ret;
+
+- str = grub_malloc (section->length + 1);
++ if (grub_add (section->length, 1, &sz))
++ return NULL;
++
++ str = grub_malloc (sz);
+ if (!str)
+ return 0;
+
+diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
+index 11272ef..2b65bd5 100644
+--- a/grub-core/fs/btrfs.c
++++ b/grub-core/fs/btrfs.c
+@@ -40,6 +40,7 @@
+ #include <grub/btrfs.h>
+ #include <grub/crypto.h>
+ #include <grub/diskfilter.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -329,9 +330,13 @@ save_ref (struct grub_btrfs_leaf_descriptor *desc,
+ if (desc->allocated < desc->depth)
+ {
+ void *newdata;
+- desc->allocated *= 2;
+- newdata = grub_realloc (desc->data, sizeof (desc->data[0])
+- * desc->allocated);
++ grub_size_t sz;
++
++ if (grub_mul (desc->allocated, 2, &desc->allocated) ||
++ grub_mul (desc->allocated, sizeof (desc->data[0]), &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++
++ newdata = grub_realloc (desc->data, sz);
+ if (!newdata)
+ return grub_errno;
+ desc->data = newdata;
+@@ -622,16 +627,21 @@ find_device (struct grub_btrfs_data *data, grub_uint64_t id)
+ if (data->n_devices_attached > data->n_devices_allocated)
+ {
+ void *tmp;
+- data->n_devices_allocated = 2 * data->n_devices_attached + 1;
+- data->devices_attached
+- = grub_realloc (tmp = data->devices_attached,
+- data->n_devices_allocated
+- * sizeof (data->devices_attached[0]));
++ grub_size_t sz;
++
++ if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) ||
++ grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) ||
++ grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz))
++ goto fail;
++
++ data->devices_attached = grub_realloc (tmp = data->devices_attached, sz);
+ if (!data->devices_attached)
+ {
++ data->devices_attached = tmp;
++
++ fail:
+ if (ctx.dev_found)
+ grub_device_close (ctx.dev_found);
+- data->devices_attached = tmp;
+ return NULL;
+ }
+ }
+diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c
+index 9b38980..ac33bcd 100644
+--- a/grub-core/fs/ext2.c
++++ b/grub-core/fs/ext2.c
+@@ -46,6 +46,7 @@
+ #include <grub/dl.h>
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -703,6 +704,7 @@ grub_ext2_read_symlink (grub_fshelp_node_t node)
+ {
+ char *symlink;
+ struct grub_fshelp_node *diro = node;
++ grub_size_t sz;
+
+ if (! diro->inode_read)
+ {
+@@ -717,7 +719,13 @@ grub_ext2_read_symlink (grub_fshelp_node_t node)
+ }
+ }
+
+- symlink = grub_malloc (grub_le_to_cpu32 (diro->inode.size) + 1);
++ if (grub_add (grub_le_to_cpu32 (diro->inode.size), 1, &sz))
++ {
++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++ return NULL;
++ }
++
++ symlink = grub_malloc (sz);
+ if (! symlink)
+ return 0;
+
+diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
+index 4f1b52a..7ba5b30 100644
+--- a/grub-core/fs/iso9660.c
++++ b/grub-core/fs/iso9660.c
+@@ -28,6 +28,7 @@
+ #include <grub/fshelp.h>
+ #include <grub/charset.h>
+ #include <grub/datetime.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -531,8 +532,13 @@ add_part (struct iterate_dir_ctx *ctx,
+ int len2)
+ {
+ int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0;
++ grub_size_t sz;
+
+- ctx->symlink = grub_realloc (ctx->symlink, size + len2 + 1);
++ if (grub_add (size, len2, &sz) ||
++ grub_add (sz, 1, &sz))
++ return;
++
++ ctx->symlink = grub_realloc (ctx->symlink, sz);
+ if (! ctx->symlink)
+ return;
+
+@@ -560,17 +566,24 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
+ {
+ grub_size_t off = 0, csize = 1;
+ char *old;
++ grub_size_t sz;
++
+ csize = entry->len - 5;
+ old = ctx->filename;
+ if (ctx->filename_alloc)
+ {
+ off = grub_strlen (ctx->filename);
+- ctx->filename = grub_realloc (ctx->filename, csize + off + 1);
++ if (grub_add (csize, off, &sz) ||
++ grub_add (sz, 1, &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++ ctx->filename = grub_realloc (ctx->filename, sz);
+ }
+ else
+ {
+ off = 0;
+- ctx->filename = grub_zalloc (csize + 1);
++ if (grub_add (csize, 1, &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++ ctx->filename = grub_zalloc (sz);
+ }
+ if (!ctx->filename)
+ {
+@@ -776,14 +789,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
+ if (node->have_dirents >= node->alloc_dirents)
+ {
+ struct grub_fshelp_node *new_node;
+- node->alloc_dirents *= 2;
+- new_node = grub_realloc (node,
+- sizeof (struct grub_fshelp_node)
+- + ((node->alloc_dirents
+- - ARRAY_SIZE (node->dirents))
+- * sizeof (node->dirents[0])));
++ grub_size_t sz;
++
++ if (grub_mul (node->alloc_dirents, 2, &node->alloc_dirents) ||
++ grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) ||
++ grub_mul (sz, sizeof (node->dirents[0]), &sz) ||
++ grub_add (sz, sizeof (struct grub_fshelp_node), &sz))
++ goto fail_0;
++
++ new_node = grub_realloc (node, sz);
+ if (!new_node)
+ {
++ fail_0:
+ if (ctx.filename_alloc)
+ grub_free (ctx.filename);
+ grub_free (node);
+@@ -799,14 +816,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
+ * sizeof (node->dirents[0]) < grub_strlen (ctx.symlink) + 1)
+ {
+ struct grub_fshelp_node *new_node;
+- new_node = grub_realloc (node,
+- sizeof (struct grub_fshelp_node)
+- + ((node->alloc_dirents
+- - ARRAY_SIZE (node->dirents))
+- * sizeof (node->dirents[0]))
+- + grub_strlen (ctx.symlink) + 1);
++ grub_size_t sz;
++
++ if (grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) ||
++ grub_mul (sz, sizeof (node->dirents[0]), &sz) ||
++ grub_add (sz, sizeof (struct grub_fshelp_node) + 1, &sz) ||
++ grub_add (sz, grub_strlen (ctx.symlink), &sz))
++ goto fail_1;
++
++ new_node = grub_realloc (node, sz);
+ if (!new_node)
+ {
++ fail_1:
+ if (ctx.filename_alloc)
+ grub_free (ctx.filename);
+ grub_free (node);
+diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
+index 90f7fb3..de2b107 100644
+--- a/grub-core/fs/sfs.c
++++ b/grub-core/fs/sfs.c
+@@ -26,6 +26,7 @@
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
+ #include <grub/charset.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -307,10 +308,15 @@ grub_sfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
+ if (node->cache && node->cache_size >= node->cache_allocated)
+ {
+ struct cache_entry *e = node->cache;
+- e = grub_realloc (node->cache,node->cache_allocated * 2
+- * sizeof (e[0]));
++ grub_size_t sz;
++
++ if (grub_mul (node->cache_allocated, 2 * sizeof (e[0]), &sz))
++ goto fail;
++
++ e = grub_realloc (node->cache, sz);
+ if (!e)
+ {
++ fail:
+ grub_errno = 0;
+ grub_free (node->cache);
+ node->cache = 0;
+@@ -477,10 +483,16 @@ grub_sfs_create_node (struct grub_fshelp_node **node,
+ grub_size_t len = grub_strlen (name);
+ grub_uint8_t *name_u8;
+ int ret;
++ grub_size_t sz;
++
++ if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) ||
++ grub_add (sz, 1, &sz))
++ return 1;
++
+ *node = grub_malloc (sizeof (**node));
+ if (!*node)
+ return 1;
+- name_u8 = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
++ name_u8 = grub_malloc (sz);
+ if (!name_u8)
+ {
+ grub_free (*node);
+@@ -724,8 +736,13 @@ grub_sfs_label (grub_device_t device, char **label)
+ data = grub_sfs_mount (disk);
+ if (data)
+ {
+- grub_size_t len = grub_strlen (data->label);
+- *label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
++ grub_size_t sz, len = grub_strlen (data->label);
++
++ if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) ||
++ grub_add (sz, 1, &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++
++ *label = grub_malloc (sz);
+ if (*label)
+ *grub_latin1_to_utf8 ((grub_uint8_t *) *label,
+ (const grub_uint8_t *) data->label,
+diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
+index 95d5c1e..7851238 100644
+--- a/grub-core/fs/squash4.c
++++ b/grub-core/fs/squash4.c
+@@ -26,6 +26,7 @@
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
+ #include <grub/deflate.h>
++#include <grub/safemath.h>
+ #include <minilzo.h>
+
+ #include "xz.h"
+@@ -459,7 +460,17 @@ grub_squash_read_symlink (grub_fshelp_node_t node)
+ {
+ char *ret;
+ grub_err_t err;
+- ret = grub_malloc (grub_le_to_cpu32 (node->ino.symlink.namelen) + 1);
++ grub_size_t sz;
++
++ if (grub_add (grub_le_to_cpu32 (node->ino.symlink.namelen), 1, &sz))
++ {
++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++ return NULL;
++ }
++
++ ret = grub_malloc (sz);
++ if (!ret)
++ return NULL;
+
+ err = read_chunk (node->data, ret,
+ grub_le_to_cpu32 (node->ino.symlink.namelen),
+@@ -506,11 +517,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
+
+ {
+ grub_fshelp_node_t node;
+- node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
++ grub_size_t sz;
++
++ if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) ||
++ grub_add (sz, sizeof (*node), &sz))
++ return 0;
++
++ node = grub_malloc (sz);
+ if (!node)
+ return 0;
+- grub_memcpy (node, dir,
+- sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
++ grub_memcpy (node, dir, sz);
+ if (hook (".", GRUB_FSHELP_DIR, node, hook_data))
+ return 1;
+
+@@ -518,12 +534,15 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
+ {
+ grub_err_t err;
+
+- node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
++ if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) ||
++ grub_add (sz, sizeof (*node), &sz))
++ return 0;
++
++ node = grub_malloc (sz);
+ if (!node)
+ return 0;
+
+- grub_memcpy (node, dir,
+- sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
++ grub_memcpy (node, dir, sz);
+
+ node->stsize--;
+ err = read_chunk (dir->data, &node->ino, sizeof (node->ino),
+@@ -557,6 +576,7 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
+ enum grub_fshelp_filetype filetype = GRUB_FSHELP_REG;
+ struct grub_squash_dirent di;
+ struct grub_squash_inode ino;
++ grub_size_t sz;
+
+ err = read_chunk (dir->data, &di, sizeof (di),
+ grub_le_to_cpu64 (dir->data->sb.diroffset)
+@@ -589,13 +609,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
+ if (grub_le_to_cpu16 (di.type) == SQUASH_TYPE_SYMLINK)
+ filetype = GRUB_FSHELP_SYMLINK;
+
+- node = grub_malloc (sizeof (*node)
+- + (dir->stsize + 1) * sizeof (dir->stack[0]));
++ if (grub_add (dir->stsize, 1, &sz) ||
++ grub_mul (sz, sizeof (dir->stack[0]), &sz) ||
++ grub_add (sz, sizeof (*node), &sz))
++ return 0;
++
++ node = grub_malloc (sz);
+ if (! node)
+ return 0;
+
+- grub_memcpy (node, dir,
+- sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
++ grub_memcpy (node, dir, sz - sizeof(dir->stack[0]));
+
+ node->ino = ino;
+ node->stack[node->stsize].ino_chunk = grub_le_to_cpu32 (dh.ino_chunk);
+diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
+index a837616..21ac7f4 100644
+--- a/grub-core/fs/udf.c
++++ b/grub-core/fs/udf.c
+@@ -28,6 +28,7 @@
+ #include <grub/charset.h>
+ #include <grub/datetime.h>
+ #include <grub/udf.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -890,9 +891,19 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf)
+ utf16[i] = (raw[2 * i + 1] << 8) | raw[2*i + 2];
+ }
+ if (!outbuf)
+- outbuf = grub_malloc (utf16len * GRUB_MAX_UTF8_PER_UTF16 + 1);
++ {
++ grub_size_t size;
++
++ if (grub_mul (utf16len, GRUB_MAX_UTF8_PER_UTF16, &size) ||
++ grub_add (size, 1, &size))
++ goto fail;
++
++ outbuf = grub_malloc (size);
++ }
+ if (outbuf)
+ *grub_utf16_to_utf8 ((grub_uint8_t *) outbuf, utf16, utf16len) = '\0';
++
++ fail:
+ grub_free (utf16);
+ return outbuf;
+ }
+@@ -1005,7 +1016,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
+ grub_size_t sz = U64 (node->block.fe.file_size);
+ grub_uint8_t *raw;
+ const grub_uint8_t *ptr;
+- char *out, *optr;
++ char *out = NULL, *optr;
+
+ if (sz < 4)
+ return NULL;
+@@ -1013,14 +1024,16 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
+ if (!raw)
+ return NULL;
+ if (grub_udf_read_file (node, NULL, NULL, 0, sz, (char *) raw) < 0)
+- {
+- grub_free (raw);
+- return NULL;
+- }
++ goto fail_1;
+
+- out = grub_malloc (sz * 2 + 1);
++ if (grub_mul (sz, 2, &sz) ||
++ grub_add (sz, 1, &sz))
++ goto fail_0;
++
++ out = grub_malloc (sz);
+ if (!out)
+ {
++ fail_0:
+ grub_free (raw);
+ return NULL;
+ }
+@@ -1031,17 +1044,17 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
+ {
+ grub_size_t s;
+ if ((grub_size_t) (ptr - raw + 4) > sz)
+- goto fail;
++ goto fail_1;
+ if (!(ptr[2] == 0 && ptr[3] == 0))
+- goto fail;
++ goto fail_1;
+ s = 4 + ptr[1];
+ if ((grub_size_t) (ptr - raw + s) > sz)
+- goto fail;
++ goto fail_1;
+ switch (*ptr)
+ {
+ case 1:
+ if (ptr[1])
+- goto fail;
++ goto fail_1;
+ /* Fallthrough. */
+ case 2:
+ /* in 4 bytes. out: 1 byte. */
+@@ -1066,11 +1079,11 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
+ if (optr != out)
+ *optr++ = '/';
+ if (!read_string (ptr + 4, s - 4, optr))
+- goto fail;
++ goto fail_1;
+ optr += grub_strlen (optr);
+ break;
+ default:
+- goto fail;
++ goto fail_1;
+ }
+ ptr += s;
+ }
+@@ -1078,7 +1091,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
+ grub_free (raw);
+ return out;
+
+- fail:
++ fail_1:
+ grub_free (raw);
+ grub_free (out);
+ grub_error (GRUB_ERR_BAD_FS, "invalid symlink");
+diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
+index 96ffecb..ea65902 100644
+--- a/grub-core/fs/xfs.c
++++ b/grub-core/fs/xfs.c
+@@ -25,6 +25,7 @@
+ #include <grub/dl.h>
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -899,6 +900,7 @@ static struct grub_xfs_data *
+ grub_xfs_mount (grub_disk_t disk)
+ {
+ struct grub_xfs_data *data = 0;
++ grub_size_t sz;
+
+ data = grub_zalloc (sizeof (struct grub_xfs_data));
+ if (!data)
+@@ -913,10 +915,11 @@ grub_xfs_mount (grub_disk_t disk)
+ if (!grub_xfs_sb_valid(data))
+ goto fail;
+
+- data = grub_realloc (data,
+- sizeof (struct grub_xfs_data)
+- - sizeof (struct grub_xfs_inode)
+- + grub_xfs_inode_size(data) + 1);
++ if (grub_add (grub_xfs_inode_size (data),
++ sizeof (struct grub_xfs_data) - sizeof (struct grub_xfs_inode) + 1, &sz))
++ goto fail;
++
++ data = grub_realloc (data, sz);
+
+ if (! data)
+ goto fail;
+diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
+index 381dde5..36d0373 100644
+--- a/grub-core/fs/zfs/zfs.c
++++ b/grub-core/fs/zfs/zfs.c
+@@ -55,6 +55,7 @@
+ #include <grub/deflate.h>
+ #include <grub/crypto.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -773,11 +774,14 @@ fill_vdev_info (struct grub_zfs_data *data,
+ if (data->n_devices_attached > data->n_devices_allocated)
+ {
+ void *tmp;
+- data->n_devices_allocated = 2 * data->n_devices_attached + 1;
+- data->devices_attached
+- = grub_realloc (tmp = data->devices_attached,
+- data->n_devices_allocated
+- * sizeof (data->devices_attached[0]));
++ grub_size_t sz;
++
++ if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) ||
++ grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) ||
++ grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++
++ data->devices_attached = grub_realloc (tmp = data->devices_attached, sz);
+ if (!data->devices_attached)
+ {
+ data->devices_attached = tmp;
+@@ -3468,14 +3472,18 @@ grub_zfs_nvlist_lookup_nvlist (const char *nvlist, const char *name)
+ {
+ char *nvpair;
+ char *ret;
+- grub_size_t size;
++ grub_size_t size, sz;
+ int found;
+
+ found = nvlist_find_value (nvlist, name, DATA_TYPE_NVLIST, &nvpair,
+ &size, 0);
+ if (!found)
+ return 0;
+- ret = grub_zalloc (size + 3 * sizeof (grub_uint32_t));
++
++ if (grub_add (size, 3 * sizeof (grub_uint32_t), &sz))
++ return 0;
++
++ ret = grub_zalloc (sz);
+ if (!ret)
+ return 0;
+ grub_memcpy (ret, nvlist, sizeof (grub_uint32_t));
+diff --git a/grub-core/fs/zfs/zfscrypt.c b/grub-core/fs/zfs/zfscrypt.c
+index 1402e0b..de3b015 100644
+--- a/grub-core/fs/zfs/zfscrypt.c
++++ b/grub-core/fs/zfs/zfscrypt.c
+@@ -22,6 +22,7 @@
+ #include <grub/misc.h>
+ #include <grub/disk.h>
+ #include <grub/partition.h>
++#include <grub/safemath.h>
+ #include <grub/dl.h>
+ #include <grub/types.h>
+ #include <grub/zfs/zfs.h>
+@@ -82,9 +83,13 @@ grub_zfs_add_key (grub_uint8_t *key_in,
+ int passphrase)
+ {
+ struct grub_zfs_wrap_key *key;
++ grub_size_t sz;
++
+ if (!passphrase && keylen > 32)
+ keylen = 32;
+- key = grub_malloc (sizeof (*key) + keylen);
++ if (grub_add (sizeof (*key), keylen, &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++ key = grub_malloc (sz);
+ if (!key)
+ return grub_errno;
+ key->is_passphrase = passphrase;
+diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c
+index fd7744a..3288609 100644
+--- a/grub-core/lib/arg.c
++++ b/grub-core/lib/arg.c
+@@ -23,6 +23,7 @@
+ #include <grub/term.h>
+ #include <grub/extcmd.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+
+ /* Built-in parser for default options. */
+ static const struct grub_arg_option help_options[] =
+@@ -216,7 +217,13 @@ static inline grub_err_t
+ add_arg (char ***argl, int *num, char *s)
+ {
+ char **p = *argl;
+- *argl = grub_realloc (*argl, (++(*num) + 1) * sizeof (char *));
++ grub_size_t sz;
++
++ if (grub_add (++(*num), 1, &sz) ||
++ grub_mul (sz, sizeof (char *), &sz))
++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++
++ *argl = grub_realloc (*argl, sz);
+ if (! *argl)
+ {
+ grub_free (p);
+@@ -431,6 +438,7 @@ grub_arg_list_alloc(grub_extcmd_t extcmd, int argc,
+ grub_size_t argcnt;
+ struct grub_arg_list *list;
+ const struct grub_arg_option *options;
++ grub_size_t sz0, sz1;
+
+ options = extcmd->options;
+ if (! options)
+@@ -443,7 +451,15 @@ grub_arg_list_alloc(grub_extcmd_t extcmd, int argc,
+ argcnt += ((grub_size_t) argc + 1) / 2 + 1; /* max possible for any option */
+ }
+
+- list = grub_zalloc (sizeof (*list) * i + sizeof (char*) * argcnt);
++ if (grub_mul (sizeof (*list), i, &sz0) ||
++ grub_mul (sizeof (char *), argcnt, &sz1) ||
++ grub_add (sz0, sz1, &sz0))
++ {
++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++ return 0;
++ }
++
++ list = grub_zalloc (sz0);
+ if (! list)
+ return 0;
+
+diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
+index 3730ed3..b92cbe9 100644
+--- a/grub-core/loader/i386/bsd.c
++++ b/grub-core/loader/i386/bsd.c
+@@ -35,6 +35,7 @@
+ #include <grub/ns8250.h>
+ #include <grub/bsdlabel.h>
+ #include <grub/crypto.h>
++#include <grub/safemath.h>
+ #include <grub/verify.h>
+ #ifdef GRUB_MACHINE_PCBIOS
+ #include <grub/machine/int.h>
+@@ -1012,11 +1013,16 @@ grub_netbsd_add_modules (void)
+ struct grub_netbsd_btinfo_modules *mods;
+ unsigned i;
+ grub_err_t err;
++ grub_size_t sz;
+
+ for (mod = netbsd_mods; mod; mod = mod->next)
+ modcnt++;
+
+- mods = grub_malloc (sizeof (*mods) + sizeof (mods->mods[0]) * modcnt);
++ if (grub_mul (modcnt, sizeof (mods->mods[0]), &sz) ||
++ grub_add (sz, sizeof (*mods), &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++
++ mods = grub_malloc (sz);
+ if (!mods)
+ return grub_errno;
+
+diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
+index e332d5e..906ec7d 100644
+--- a/grub-core/net/dns.c
++++ b/grub-core/net/dns.c
+@@ -22,6 +22,7 @@
+ #include <grub/i18n.h>
+ #include <grub/err.h>
+ #include <grub/time.h>
++#include <grub/safemath.h>
+
+ struct dns_cache_element
+ {
+@@ -51,9 +52,15 @@ grub_net_add_dns_server (const struct grub_net_network_level_address *s)
+ {
+ int na = dns_servers_alloc * 2;
+ struct grub_net_network_level_address *ns;
++ grub_size_t sz;
++
+ if (na < 8)
+ na = 8;
+- ns = grub_realloc (dns_servers, na * sizeof (ns[0]));
++
++ if (grub_mul (na, sizeof (ns[0]), &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++
++ ns = grub_realloc (dns_servers, sz);
+ if (!ns)
+ return grub_errno;
+ dns_servers_alloc = na;
+diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
+index d57fb72..4dfcc31 100644
+--- a/grub-core/normal/charset.c
++++ b/grub-core/normal/charset.c
+@@ -48,6 +48,7 @@
+ #include <grub/unicode.h>
+ #include <grub/term.h>
+ #include <grub/normal.h>
++#include <grub/safemath.h>
+
+ #if HAVE_FONT_SOURCE
+ #include "widthspec.h"
+@@ -464,6 +465,7 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
+ {
+ struct grub_unicode_combining *n;
+ unsigned j;
++ grub_size_t sz;
+
+ if (!haveout)
+ continue;
+@@ -477,10 +479,14 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
+ n = out->combining_inline;
+ else if (out->ncomb > (int) ARRAY_SIZE (out->combining_inline))
+ {
+- n = grub_realloc (out->combining_ptr,
+- sizeof (n[0]) * (out->ncomb + 1));
++ if (grub_add (out->ncomb, 1, &sz) ||
++ grub_mul (sz, sizeof (n[0]), &sz))
++ goto fail;
++
++ n = grub_realloc (out->combining_ptr, sz);
+ if (!n)
+ {
++ fail:
+ grub_errno = GRUB_ERR_NONE;
+ continue;
+ }
+diff --git a/grub-core/normal/cmdline.c b/grub-core/normal/cmdline.c
+index c57242e..de03fe6 100644
+--- a/grub-core/normal/cmdline.c
++++ b/grub-core/normal/cmdline.c
+@@ -28,6 +28,7 @@
+ #include <grub/env.h>
+ #include <grub/i18n.h>
+ #include <grub/charset.h>
++#include <grub/safemath.h>
+
+ static grub_uint32_t *kill_buf;
+
+@@ -307,12 +308,21 @@ cl_insert (struct cmdline_term *cl_terms, unsigned nterms,
+ if (len + (*llen) >= (*max_len))
+ {
+ grub_uint32_t *nbuf;
+- (*max_len) *= 2;
+- nbuf = grub_realloc ((*buf), sizeof (grub_uint32_t) * (*max_len));
++ grub_size_t sz;
++
++ if (grub_mul (*max_len, 2, max_len) ||
++ grub_mul (*max_len, sizeof (grub_uint32_t), &sz))
++ {
++ grub_errno = GRUB_ERR_OUT_OF_RANGE;
++ goto fail;
++ }
++
++ nbuf = grub_realloc ((*buf), sz);
+ if (nbuf)
+ (*buf) = nbuf;
+ else
+ {
++ fail:
+ grub_print_error ();
+ grub_errno = GRUB_ERR_NONE;
+ (*max_len) /= 2;
+diff --git a/grub-core/normal/menu_entry.c b/grub-core/normal/menu_entry.c
+index 1993995..50eef91 100644
+--- a/grub-core/normal/menu_entry.c
++++ b/grub-core/normal/menu_entry.c
+@@ -27,6 +27,7 @@
+ #include <grub/auth.h>
+ #include <grub/i18n.h>
+ #include <grub/charset.h>
++#include <grub/safemath.h>
+
+ enum update_mode
+ {
+@@ -113,10 +114,18 @@ ensure_space (struct line *linep, int extra)
+ {
+ if (linep->max_len < linep->len + extra)
+ {
+- linep->max_len = 2 * (linep->len + extra);
+- linep->buf = grub_realloc (linep->buf, (linep->max_len + 1) * sizeof (linep->buf[0]));
++ grub_size_t sz0, sz1;
++
++ if (grub_add (linep->len, extra, &sz0) ||
++ grub_mul (sz0, 2, &sz0) ||
++ grub_add (sz0, 1, &sz1) ||
++ grub_mul (sz1, sizeof (linep->buf[0]), &sz1))
++ return 0;
++
++ linep->buf = grub_realloc (linep->buf, sz1);
+ if (! linep->buf)
+ return 0;
++ linep->max_len = sz0;
+ }
+
+ return 1;
+diff --git a/grub-core/script/argv.c b/grub-core/script/argv.c
+index 217ec5d..5751fdd 100644
+--- a/grub-core/script/argv.c
++++ b/grub-core/script/argv.c
+@@ -20,6 +20,7 @@
+ #include <grub/mm.h>
+ #include <grub/misc.h>
+ #include <grub/script_sh.h>
++#include <grub/safemath.h>
+
+ /* Return nearest power of two that is >= v. */
+ static unsigned
+@@ -81,11 +82,16 @@ int
+ grub_script_argv_next (struct grub_script_argv *argv)
+ {
+ char **p = argv->args;
++ grub_size_t sz;
+
+ if (argv->args && argv->argc && argv->args[argv->argc - 1] == 0)
+ return 0;
+
+- p = grub_realloc (p, round_up_exp ((argv->argc + 2) * sizeof (char *)));
++ if (grub_add (argv->argc, 2, &sz) ||
++ grub_mul (sz, sizeof (char *), &sz))
++ return 1;
++
++ p = grub_realloc (p, round_up_exp (sz));
+ if (! p)
+ return 1;
+
+@@ -105,13 +111,19 @@ grub_script_argv_append (struct grub_script_argv *argv, const char *s,
+ {
+ grub_size_t a;
+ char *p = argv->args[argv->argc - 1];
++ grub_size_t sz;
+
+ if (! s)
+ return 0;
+
+ a = p ? grub_strlen (p) : 0;
+
+- p = grub_realloc (p, round_up_exp ((a + slen + 1) * sizeof (char)));
++ if (grub_add (a, slen, &sz) ||
++ grub_add (sz, 1, &sz) ||
++ grub_mul (sz, sizeof (char), &sz))
++ return 1;
++
++ p = grub_realloc (p, round_up_exp (sz));
+ if (! p)
+ return 1;
+
+diff --git a/grub-core/script/lexer.c b/grub-core/script/lexer.c
+index c6bd317..5fb0cbd 100644
+--- a/grub-core/script/lexer.c
++++ b/grub-core/script/lexer.c
+@@ -24,6 +24,7 @@
+ #include <grub/mm.h>
+ #include <grub/script_sh.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+
+ #define yytext_ptr char *
+ #include "grub_script.tab.h"
+@@ -110,10 +111,14 @@ grub_script_lexer_record (struct grub_parser_param *parser, char *str)
+ old = lexer->recording;
+ if (lexer->recordlen < len)
+ lexer->recordlen = len;
+- lexer->recordlen *= 2;
++
++ if (grub_mul (lexer->recordlen, 2, &lexer->recordlen))
++ goto fail;
++
+ lexer->recording = grub_realloc (lexer->recording, lexer->recordlen);
+ if (!lexer->recording)
+ {
++ fail:
+ grub_free (old);
+ lexer->recordpos = 0;
+ lexer->recordlen = 0;
+@@ -130,7 +135,7 @@ int
+ grub_script_lexer_yywrap (struct grub_parser_param *parserstate,
+ const char *input)
+ {
+- grub_size_t len = 0;
++ grub_size_t len = 0, sz;
+ char *p = 0;
+ char *line = 0;
+ YY_BUFFER_STATE buffer;
+@@ -168,12 +173,22 @@ grub_script_lexer_yywrap (struct grub_parser_param *parserstate,
+ }
+ else if (len && line[len - 1] != '\n')
+ {
+- p = grub_realloc (line, len + 2);
++ if (grub_add (len, 2, &sz))
++ {
++ grub_free (line);
++ grub_script_yyerror (parserstate, N_("overflow is detected"));
++ return 1;
++ }
++
++ p = grub_realloc (line, sz);
+ if (p)
+ {
+ p[len++] = '\n';
+ p[len] = '\0';
+ }
++ else
++ grub_free (line);
++
+ line = p;
+ }
+
+diff --git a/grub-core/video/bitmap.c b/grub-core/video/bitmap.c
+index b2e0315..6256e20 100644
+--- a/grub-core/video/bitmap.c
++++ b/grub-core/video/bitmap.c
+@@ -23,6 +23,7 @@
+ #include <grub/mm.h>
+ #include <grub/misc.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -58,7 +59,7 @@ grub_video_bitmap_create (struct grub_video_bitmap **bitmap,
+ enum grub_video_blit_format blit_format)
+ {
+ struct grub_video_mode_info *mode_info;
+- unsigned int size;
++ grub_size_t size;
+
+ if (!bitmap)
+ return grub_error (GRUB_ERR_BUG, "invalid argument");
+@@ -137,19 +138,25 @@ grub_video_bitmap_create (struct grub_video_bitmap **bitmap,
+
+ mode_info->pitch = width * mode_info->bytes_per_pixel;
+
+- /* Calculate size needed for the data. */
+- size = (width * mode_info->bytes_per_pixel) * height;
++ /* Calculate size needed for the data. */
++ if (grub_mul (width, mode_info->bytes_per_pixel, &size) ||
++ grub_mul (size, height, &size))
++ {
++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++ goto fail;
++ }
+
+ (*bitmap)->data = grub_zalloc (size);
+ if (! (*bitmap)->data)
+- {
+- grub_free (*bitmap);
+- *bitmap = 0;
+-
+- return grub_errno;
+- }
++ goto fail;
+
+ return GRUB_ERR_NONE;
++
++ fail:
++ grub_free (*bitmap);
++ *bitmap = NULL;
++
++ return grub_errno;
+ }
+
+ /* Frees all resources allocated by bitmap. */
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index 61bd645..0157ff7 100644
+--- a/grub-core/video/readers/png.c
++++ b/grub-core/video/readers/png.c
+@@ -23,6 +23,7 @@
+ #include <grub/mm.h>
+ #include <grub/misc.h>
+ #include <grub/bufio.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -301,9 +302,17 @@ grub_png_decode_image_header (struct grub_png_data *data)
+ data->bpp <<= 1;
+
+ data->color_bits = color_bits;
+- data->row_bytes = data->image_width * data->bpp;
++
++ if (grub_mul (data->image_width, data->bpp, &data->row_bytes))
++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++
+ if (data->color_bits <= 4)
+- data->row_bytes = (data->image_width * data->color_bits + 7) / 8;
++ {
++ if (grub_mul (data->image_width, data->color_bits + 7, &data->row_bytes))
++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++
++ data->row_bytes >>= 3;
++ }
+
+ #ifndef GRUB_CPU_WORDS_BIGENDIAN
+ if (data->is_16bit || data->is_gray || data->is_palette)
+--
+2.14.4
+
generated by cgit v1.2.3 (git 2.39.0) at 2024-07-08 01:54:54 +0300