Improved ad-hoc fuzzing coverage releaved a possible access violation
around line 342 of ntfs.c when accessing the attr_cur pointer due to
possiblity of moving pointer 'next' beyond of the end of the valid
buffer inside next_attribute. Prevent this for cases where full
attribute validation is not performed (such as on attribute lists)
by performing a sanity check on the newly calculated next pointer.
Fixes: 06914b614 (fs/ntfs: Correct attribute vs attribute list validation)
Signed-off-by: Andrew Hamilton <adham...@gmail.com>
---
grub-core/fs/ntfs.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
index 5b0a18f3d..9aff239c4 100644
--- a/grub-core/fs/ntfs.c
+++ b/grub-core/fs/ntfs.c
@@ -233,7 +233,12 @@ next_attribute (grub_uint8_t *curr_attribute, void *end,
bool validate)
return NULL;
next += u16at (curr_attribute, 4);
- if (validate && validate_attribute (next, end) == false)
+ if (validate)
+ {
+ if (validate_attribute (next, end) == false)
+ return NULL;
+ }
+ else if (next >= (grub_uint8_t *)end)
return NULL;
return next;
--
2.39.5
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
