From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Mon, 18 Jan 2021 14:51:11 +1100
Subject: [PATCH] fs/jfs: Do not move to leaf level if name length is negative

Fuzzing JFS revealed crashes where a negative number would be passed
to le_to_cpu16_copy(). There it would be cast to a large positive number
and the copy would read and write off the end of the respective buffers.

Catch this at the top as well as the bottom of the loop.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/fs/jfs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
index aab3e8c7b..1819899bd 100644
--- a/grub-core/fs/jfs.c
+++ b/grub-core/fs/jfs.c
@@ -563,7 +563,7 @@ grub_jfs_getent (struct grub_jfs_diropen *diro)
 
   /* Move down to the leaf level.  */
   nextent = leaf->next;
-  if (leaf->next != 255)
+  if (leaf->next != 255 && len > 0)
     do
       {
  	next_leaf = &diro->next_leaf[nextent];