From 3f6b129bdc9bdb9699cddc7b7f76c152f640d584 Mon Sep 17 00:00:00 2001
From: Lidong Chen <lidong.chen@oracle.com>
Date: Wed, 3 May 2023 17:32:17 +0000
Subject: [PATCH] fs/hfsplus: Validate btree node size

The invalid btree node size can cause crashes when parsing the btree.
The fix is to ensure the btree node size is within the valid range
defined in the HFS Plus technical note, TN1150 [1].

[1] https://developer.apple.com/library/archive/technotes/tn/tn1150.html

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/fs/hfsplus.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
index 11393ca34..2bc1165c1 100644
--- a/grub-core/fs/hfsplus.c
+++ b/grub-core/fs/hfsplus.c
@@ -84,6 +84,9 @@ struct grub_hfsplus_catfile
 #define GRUB_HFSPLUS_FILEMODE_DIRECTORY	0040000
 #define GRUB_HFSPLUS_FILEMODE_SYMLINK	0120000
 
+#define HFSPLUS_BTNODE_MINSZ	(1 << 9)
+#define HFSPLUS_BTNODE_MAXSZ	(1 << 15)
+
 /* Some pre-defined file IDs.  */
 enum
   {
@@ -584,6 +587,10 @@ grub_hfsplus_btree_search (struct grub_hfsplus_btree *btree,
       return 0;
     }
 
+  if (btree->nodesize < HFSPLUS_BTNODE_MINSZ ||
+      btree->nodesize > HFSPLUS_BTNODE_MAXSZ)
+    return grub_error (GRUB_ERR_BAD_FS, "invalid HFS+ btree node size");
+
   node = grub_malloc (btree->nodesize);
   if (! node)
     return grub_errno;