From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jonathan Bar Or <jonathanbaror@gmail.com>
Date: Thu, 23 Jan 2025 19:17:05 +0100
Subject: [PATCH] commands/read: Fix an integer overflow when supplying more
 than 2^31 characters

The grub_getline() function currently has a signed integer variable "i"
that can be overflown when user supplies more than 2^31 characters.
It results in a memory corruption of the allocated line buffer as well
as supplying large negative values to grub_realloc().

Fixes: CVE-2025-0690

Reported-by: Jonathan Bar Or <jonathanbaror@gmail.com>
Signed-off-by: Jonathan Bar Or <jonathanbaror@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/commands/read.c | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/grub-core/commands/read.c b/grub-core/commands/read.c
index fe3e88b15..7b6735b79 100644
--- a/grub-core/commands/read.c
+++ b/grub-core/commands/read.c
@@ -25,19 +25,21 @@
 #include <grub/types.h>
 #include <grub/command.h>
 #include <grub/i18n.h>
+#include <grub/safemath.h>
 
 GRUB_MOD_LICENSE ("GPLv3+");
 
 static char *
 grub_getline (void)
 {
-  int i;
+  grub_size_t i;
   char *line;
   char *tmp;
   char c;
+  grub_size_t alloc_size;
 
   i = 0;
-  line = grub_malloc (1 + i + sizeof('\0'));
+  line = grub_malloc (1 + sizeof('\0'));
   if (! line)
     return NULL;
 
@@ -50,8 +52,18 @@ grub_getline (void)
       line[i] = c;
       if (grub_isprint (c))
 	grub_printf ("%c", c);
-      i++;
-      tmp = grub_realloc (line, 1 + i + sizeof('\0'));
+      if (grub_add (i, 1, &i))
+        {
+          grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+          return NULL;
+        }
+      if (grub_add (i, 1 + sizeof('\0'), &alloc_size))
+        {
+          grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+          return NULL;
+        }
+      tmp = grub_realloc (line, alloc_size);
+
       if (! tmp)
 	{
 	  grub_free (line);