poky: subtree update:7231c10430..0ac99625bf
Alban Bedel (1):
systemd: Fix systemd when used with busybox less
Alejandro Hernandez Samaniego (3):
poky-tiny: Reduce busybox size by 13%
poky-tiny: Enable size optimization by default
python3: Update manifest
Alexander Kamensky (1):
kexec: arm64: disabled check if kaslr-seed dtb property was wiped
Alexander Kanavin (128):
systemd-boot: upgrade 246.2 -> 246.6
glib-2.0: upgrade 2.64.5 -> 2.66.1
cmake: update 3.18.2 -> 3.18.4
python3-pygobject: upgrade 3.36.1 -> 3.38.0
libdazzle: upgrade 3.36.0 -> 3.38.0
gobject-introspection: upgrade 1.64.1 -> 1.66.1
json-glib: upgrade 1.4.4 -> 1.6.0
ovmf: update edk2-stable202005 -> edk2-stable202008
gnu-config: update to latest revision
file: enable all built-in compression checkers
rpm: update 4.15.1 -> 4.16.0
elfutils: update 0.180 -> 0.181
ghostscript: update 9.52 -> 9.53.3
ltp: update 20200515 -> 20200930
gsettings-desktop-schemas: update 3.36.1 -> 3.38.0
libsecret: update 0.20.3 -> 0.20.4
mesa: update 20.1.8 -> 20.2.1
xf86-video-vesa: update 2.4.0 -> 2.5.0
lttng-modules: update 2.12.2 -> 2.12.3
webkitgtk: update 2.28.4 -> 2.30.1
dos2unix: update 7.4.1 -> 7.4.2
gnutls: update 3.16.4 -> 3.16.5
libcap: update 2.43 -> 2.44
vte: update 0.60.3 -> 0.62.1
libhandy: upgrade 0.0.13 -> 1.0.0
libportal: add a recipe
epiphany: upgrade 3.36.4 -> 3.38.1
gtk-doc: upgrade 1.32 -> 1.33.0
rpm: adjust MIPS64 N32 support
apt: remove host contamination with gtest
opkg-utils: correct priority matching in update-alternatives
libxml2: add a patch to fix python 3.9 support
python: update 3.8.5 -> 3.9.0
glib-2.0: update 2.66.1 -> 2.66.2
json-glib: fix reproducibility
spirv-tools: correctly set PV
spirv-tools: upgrade 2019.5 -> 2020.5
glslang: fix upstream version check
glslang: upgrade 8.13.3559 -> 8.13.3743
glslang: bump to a newer commit
shaderc: upgrade 2019.0 -> 2020.3
vulkan: update 1.2.135 -> 1.2.154
vulkan-samples: replace vulkan-demos
piglit: upgrade to latest revision
acpica: upgrade 20200717 -> 20200925
adwaita-icon-theme: upgrade 3.36.1 -> 3.38.0
at-spi2-atk: upgrade 2.34.2 -> 2.38.0
at-spi2-core: upgrade 2.36.1 -> 2.38.0
bison: upgrade 3.7.2 -> 3.7.3
createrepo-c: upgrade 0.16.0 -> 0.16.1
curl: upgrade 7.72.0 -> 7.73.0
debianutils: upgrade 4.11.1 -> 4.11.2
dhcpcd: upgrade 9.2.0 -> 9.3.1
dmidecode: upgrade 3.2 -> 3.3
dnf: upgrade 4.2.23 -> 4.4.0
ethtool: upgrade 5.8 -> 5.9
expat: upgrade 2.2.9 -> 2.2.10
gcr: upgrade 3.36.0 -> 3.38.0
glib-networking: upgrade 2.64.3 -> 2.66.0
gtk+3: upgrade 3.24.22 -> 3.24.23
help2man: upgrade 1.47.15 -> 1.47.16
i2c-tools: upgrade 4.1 -> 4.2
iw: upgrade 5.8 -> 5.9
kmscube: upgrade to latest revision
less: upgrade 562 -> 563
libdnf: upgrade 0.48.0 -> 0.54.2
libgudev: upgrade 233 -> 234
libinput: upgrade 1.16.1 -> 1.16.2
libuv: upgrade 1.39.0 -> 1.40.0
libva: upgrade 2.8.0 -> 2.9.0
libva-utils: update 2.8.0 -> 2.9.1
libwpe: upgrade 1.7.1 -> 1.8.0
libxkbcommon: upgrade 0.10.0 -> 1.0.1
openssh: upgrade 8.3p1 -> 8.4p1
openssl: upgrade 1.1.1g -> 1.1.1h
strace: upgrade 5.8 -> 5.9
sudo: upgrade 1.9.3 -> 1.9.3p1
vala: upgrade 0.48.9 -> 0.50.1
wpebackend-fdo: upgrade 1.7.1 -> 1.8.0
xkeyboard-config: upgrade 2.30 -> 2.31
u-boot: upgrade 2020.07 -> 2020.10
usbutils: upgrade 012 -> 013
nfs-utils: upgrade 2.5.1 -> 2.5.2
dropbear: upgrade 2020.80 -> 2020.81
btrfs-tools: upgrade 5.7 -> 5.9
git: upgrade 2.28.0 -> 2.29.2
go: upgrade 1.15.2 -> 1.15.3
mtools: upgrade 4.0.24 -> 4.0.25
python3-numpy: upgrade 1.19.1 -> 1.19.3
python3-git: upgrade 3.1.7 -> 3.1.11
python3-pyelftools: upgrade 0.26 -> 0.27
python3-pygments: upgrade 2.6.1 -> 2.7.2
python3-setuptools: upgrade 49.6.0 -> 50.3.2
asciidoc: upgrade 9.0.2 -> 9.0.4
iptables: upgrade 1.8.5 -> 1.8.6
libsolv: upgrade 0.7.14 -> 0.7.16
stress-ng: upgrade 0.11.21 -> 0.11.23
libhandy: upgrade 1.0.0 -> 1.0.1
freetype: upgrade 2.10.2 -> 2.10.4
linux-firmware: upgrade 20200817 -> 20201022
alsa: upgrade 1.2.3 -> 1.2.4
gstreamer1.0: upgrade 1.18.0 -> 1.18.1
x264: upgrade to latest revision
rt-tests/hwlatdetect: upgrade 1.8 -> 1.9
webkitgtk: upgrade 2.30.1 -> 2.30.2
diffoscope: upgrade 160 -> 161
enchant2: upgrade 2.2.9 -> 2.2.12
libassuan: upgrade 2.5.3 -> 2.5.4
libcap-ng: upgrade 0.7.11 -> 0.8
libevdev: upgrade 1.9.1 -> 1.10.0
libgcrypt: upgrade 1.8.6 -> 1.8.7
libmpc: upgrade 1.2.0 -> 1.2.1
libsoup-2.4: upgrade 2.70.0 -> 2.72.0
numactl: upgrade 2.0.13 -> 2.0.14
kea: use odd-even version scheme for updates
mesa: fix a build race
clutter-gst-3.0: do not call out to host gstreamer plugin scanner
conf-notes.txt: mention more important images than just sato
weston-init: correctly start under systemd
weston-init: fall back to fbdev under x32
wayland-utils: introduce a recipe
poky/conf-notes.txt: mention more important images than just sato
python3: split python target configuration into own class
python3-pycairo: use python3targetconfig
distutils3-base.bbclass: use python3targetconfig
meta: drop _PYTHON_SYSCONFIGDATA_NAME hacks
gpgme: use python3targetconfig
bitbake: lib/bb/fetch2/__init__.py: drop _PYTHON_SYSCONFIGDATA_NAME unsetting
Alexander Vickberg (1):
socat: make building with OpenSSL support optional
Alistair (1):
weston-init: Fix incorrect idle-time setting
Andrej Valek (1):
autotools: CONFIG_SHELL defaults
Andrey Zhizhikin (1):
insane: add GitLab /archive/ tests
Anibal Limon (1):
recipes-graphics: libxkbcommon disable build of libxkbregistry
Anuj Mittal (2):
glib-2.0: RDEPEND on dbusmock only when GI_DATA_ENABLED is True
distutils-common-base: fix LINKSHARED expansion
Bruce Ashfield (17):
kernel: provide module.lds for out of tree builds in v5.10+
linux-yocto/5.8: update to v5.8.15
linux-yocto/5.4: update to v5.4.71
linux-yocto/5.8: update to v5.8.16
linux-yocto/5.4: update to v5.4.72
linux-yocto/5.8: update to v5.8.17
linux-yocto/5.4: update to v5.4.73
linux-yocto-dev: move to v5.10-rc
linux-yocto/5.4: config cleanup / warnings
linux-yocto/5.8: config cleanup / warnings
linux-yocto/5.8: update to v5.8.18
linux-yocto/5.4: update to v5.4.75
kernel: relocate copy of module.lds to module compilation task
linux-yocto/5.4: perf: Alias SYS_futex with SYS_futex_time64 on 32-bit arches with 64bit time_t
linux-yocto/5.8: perf: Alias SYS_futex with SYS_futex_time64 on 32-bit arches with 64bit time_t
linux-yocto/5.8: ext4/tipc warning fixups
linux-yocto/5.4: update to v5.4.78
Chaitanya Vadrevu (1):
isoimage-isohybrid.py: Support adding files/dirs
Changqing Li (2):
timezone: upgrade to 2020d
vulkan-samples: fix do_compile failure
Chee Yang Lee (2):
bluez5: update to 5.55
ruby: update to 2.7.2
Chris Laplante (4):
bitbake: main: extract creation of argument parser into function so it can be utilized externally, e.g. by unit tests
bitbake: bb.ui: delete __init__.py to make bb.ui a namespace package
bitbake: cookerdata: tweak to avoid mutable default argument
cases/bbtests.py: ensure PACKAGE_CLASSES is set to RPM for bbtests.BitbakeTests.test_force_task_1
Dan Callaghan (1):
gdb: add PACKAGECONFIG for xz (lzma) compression support
Denys Dmytriyenko (1):
grep: upgrade 3.4 -> 3.5
Denys Zagorui (1):
binutils: reproducibility: reuse debug-prefix-map for stabs
Federico Pellegrin (1):
openssl: Add c_rehash to misc package and add perl runtime dependency
Fedor Ross (2):
sysvinit: remove bashism to be compatible with dash
eudev: remove bashism to be compatible with dash
Fredrik Gustafsson (1):
package management: Allow dynamic loading of PM
Gratian Crisan (1):
kernel-module-split.bbclass: identify kernel modconf files as configuration files
He Zhe (1):
lttng-modules: Backport a patch to fix btrfs build failure
Hombourger, Cedric (1):
bitbake: fetch2: use relative symlinks for anything pulled from PREMIRRORS
Hongxu Jia (1):
bitbake: Revert "bb.ui: delete __init__.py to make bb.ui a namespace package"
INC@Cisco) (1):
kernel-devsrc: improve reproducibility for arm64
Jason Wessel (2):
base-files/profile: Add universal resize function
systemd-serialgetty: Switch to TERM=linux
Jose Quaresma (31):
spirv-tools: import from meta-oe to OE core
spirv-tools: enable native build and install more header files
glslang: add receipe
shaderc: add receipe
spirv-tools: fix identation and cleanup install append
maintainers.inc: Add Jose Quaresma
gstreamer1.0: Fix reproducibility issue around libcap
gstreamer1.0: upgrade to version 1.18.0
gstreamer1.0-plugins-base: upgrade to version 1.18.0
gstreamer1.0-plugins-base: add new meson option as PACKAGECONFIG
gstreamer1.0-plugins-good: upgrade to version 1.18.0
gstreamer1.0-plugins-good: disable new meson options
gstreamer1.0-plugins-good: add new meson option as PACKAGECONFIG
gstreamer1.0-plugins-bad: upgrade to version 1.18.0
gstreamer1.0-plugins-bad: disable new meson options
gstreamer1.0-plugins-bad: add new meson options as PACKAGECONFIG
gstreamer1.0-plugins-ugly: upgrade to version 1.18.0
gstreamer1.0-python: upgrade to version 1.18.0
gstreamer1.0-python: install append is not need any more
gstreamer1.0-rtsp-server: upgrade to version 1.18.0
gstreamer1.0-vaapi: upgrade to version 1.18.0
gst-examples: upgrade to version 1.18.0
gstreamer1.0-omx: upgrade to version 1.18.0
gstreamer1.0-libav: upgrade to version 1.18.0
gst-devtools: add version 1.18.0 (gst-validate -> gst-devtools)
orc: Upgrade 0.4.31 -> 0.4.32
gstreamer1.0-plugins-good: on wayland qt5 needs qtwayland
gstreamer1.0-libav: add comercial license flags as ffmpeg needs this
gstreamer1.0-plugins-bad: add srt package config knob
ffmpeg: add srt package config knob
gstreamer1.0-plugins-good: add package config knob for the Raspberry Pi
Joseph Reynolds (1):
add new extrausers command passwd-expire
Joshua Watt (8):
documentation: Add Pipenv support
systemd: Re-enable chvt as non-root user without polkit
python3-pycryptodomex: upgrade 3.9.8 -> 3.9.9
weston-init: Stop running weston as root
python3-pycryptodome: upgrade 3.9.8 -> 3.9.9
bitbake: bitbake: hashserve: Add async client
bitbake: bitbake: hashserve: Add support for readonly upstream
bitbake: bitbake: cache: Remove bad keys() function
Kai Kang (1):
sudo: fix multilib conflict
Khasim Mohammed (1):
grub: add grub-nativesdk
Khem Raj (34):
webkitgtk: Disable gold linker and JIT on riscv
init-ifupdown: Define interfaces file for riscv emulators
init-ifupdown: Merge all interface files for differnet qemus
musl: Update to latest master
qemuboot.bbclass: Fix a typo
musl: Add .file directive in crt assembly files
musl: Update to latest
rpm: Fix error.h handing properly on musl
gdb: Update to 10.x release
numactl: Link with libatomic on rv64/rv32
gstreamer: Fix build on 32bit arches with 64bit time_t
rt-tests: Enable only for x86/ppc64 architectures
lto: Add global LTO distro policy file
python3: Enable lto if its in DISTRO_FEATURES
lto.inc: Add -ffat-lto-objects and -fuse-linker-plugin
lto: Introduce LTOEXTRA variable
libaio: Disable LTO
weston: Fix linking with LTO
lto.inc: Disable LTO for xserver-xorg
gcc: Do no parameterize LTO configuration flags
puzzles: Check for excessive constant arguments
lto.inc: Disable LTO for perf
gcc: Handle duplicate names for variables
musl: Update to latest master
lrzsz: Use Cross AR during compile
gawk: Avoid using host ar during cross compile
lto.inc: Disable LTO for webkit
python-numpy: Add support for riscv32
arch-riscv: Enable qemu-usermode on rv32
python3targetconfig.bbclass: Make py3 dep and tasks only for target recipes
go: Update to 1.15.5
binutils: Fix linker errors on chromium/ffmpeg on aarch64
python3-numpy: Upgrade to 1.19.4
python3-numpy: Add ptest
Konrad Weihmann (3):
oeqa/core/context: expose results as variable
oeqa/core/context: initialize _run_end_time
testimage: print results for interrupted runs
Lee Chee Yang (5):
bitbake: BBHandler: prompt error when task name contain expression
libproxy: fix CVE-2020-26154
python3: fix CVE-2020-27619
python3: whitelist CVE-2020-15523
qemu: fix CVE-2020-24352
Loic Domaigne (1):
roofs_*.bbclass: fix missing vardeps for do_rootfs
Luca Boccassi (1):
dbus: split -common and -tools out of main package
Mark Jonas (4):
libsdl2: Fix directfb syntax error
libsdl2: Fix directfb SDL_RenderFillRect
libbsd: Remove BSD-4-Clause from main package
libsdl2: Add directfb to PACKAGECONFIG rdepends
Martin Jansa (5):
tune-arm9tdmi.inc: include arm9tdmi in PACKAGE_ARCHS
gnutls: explicitly set --with-librt-prefix
webkitgtk: fix opengl PACKAGECONFIG
webkitgtk: fix build with x11 enabled
weston: add pam to REQUIRED_DISTRO_FEATURES
Matt Madison (1):
layer.conf: fix syntax error in PATH setting
Max Krummenacher (1):
linux-firmware: rdepend on license for all nvidia packages
Maxime Roussin-BĂ©langer (3):
meta: fix some unresponsive homepages and bugtracker links
bitbake: cache: remove unused variables.
bitbake: monitordisk: remove unused function parameter
Mert Kirpici (2):
bitbake: fetch2: add zstd support to unpack
bitbake: doc/conf.py: add missing import sys
Mingli Yu (2):
bitbake.conf: Exclude ${CCACHE_DIR} from pseudo database
update_udev_hwdb: clean hwdb.bin
Nathan Rossi (4):
vim: add nativesdk to BBCLASSEXTEND
rsync: add nativesdk to BBCLASSEXTEND
diffstat: add nativesdk to BBCLASSEXTEND
cml1.bbclass: Handle ncurses-native being available via pkg-config
Nicolas Dechesne (17):
conf: update for release 3.2
poky.yaml: remove unused variables
poky.yaml: updates for 3.2
sphinx: releases: add link to 3.1.3
what-i-wish-id-known: replace labels with references to section title
sdk-manual: replace labels with references to section title
ref-manual: replace labels with references to section title
dev-manual: replace labels with references to section title
kernel-dev: replace labels with references to section title
test-manual: remove unused labels
bsp-guide: remove unused labels
kernel-dev: remove unused labels
profile-manual: remove unused labels
sdk-manual: remove unused labels
toaster-manual: remove unused labels
Makefile: enable parallel build
bitbake: docs: Makefile: enable parallel build
Norbert Kaminski (1):
grub: Add support for RISC-V
Paul Barker (11):
conf.py: Improve TOC and Outline depth in PDF output
conf.py: Add oe_git directive
documentation/README: Refer to top-level README for contributions
dev-manual-common-tasks: Fix refs to testing branches
dev-manual-common-tasks: Update & move patchwork reference
dev-manual-common-tasks: Tidy up patch submission process
dev-manual-common-tasks: Describe git-send-email accurately
dev-manual-common-tasks: Describe how to handle patch feedback
dev-manual-common-tasks: Describe how to propose changes to stable branches
dev-manual-common-tasks: Re-order patch submission instructions
poky.yaml: Define DISTRO_NAME_NO_CAP_LTS
Paul Eggleton (10):
ref-manual: add reference anchors for each QA check
ref-manual: fix for features_check class change
ref-manual: QA check updates
ref-manual: add PSEUDO_IGNORE_PATHS
ref-manual: add IMAGE_VERSION_SUFFIX variable
ref-manual: add IMAGE_NAME_SUFFIX variable
ref-manual: add migration section for 3.2
ref-manual: add IMAGE_LINK_NAME
ref-manual: add migration info for image-artifact-names
ref-manual: add migration info about MLPREFIX changes
Peter Bergin (2):
rt-tests: backport patch that enable build for all archs
Revert "rt-tests: Enable only for x86/ppc64 architectures"
Purushottam choudhary (1):
systemd: selinux hook handling to enumerate nexthop
Randy MacLeod (1):
libsdl2: Disable video-rpi
Randy Witt (4):
numactl: Add the recipe for numactl
numactl: Remove COMPATIBLE_HOST restrictions
numactl: Skip the ptests when numa is not supported
rt-tests: Update recipes to use 1.8
Ricardo Salveti (1):
dosfstools: add mkfs.vfat to ALTERNATIVE
Richard Leitner (4):
deb: replace deprecated apt force-yes argument
xcb-proto: update to 1.14.1
deb: export INTERCEPT_DIR for remove actions
weston-init: introduce WESTON_GROUP
Richard Purdie (21):
ref-manual/faq: Add entry for why binaries are changed in images
dev-manual: Add a note about prelink changing prebuild binaries
sstatesig: Log timestamps for hashequiv in reprodubile builds for do_package
netbase: Add whitespace to purge bogus hash equivalence from autobuilder
scripts/buildhistory_analysis: Avoid tracebacks from file comparision code
maintainers: Add myself as numactl maintainer to avoid QA errors
bitbake: bitbake: Post release version bump
poky.conf: Post release version bump
libxcb: Fix install file owner/group
bitbake: siggen: Remove broken optimisation
bitbake: fetch2/git: Document that we won't support passwords in git urls
sstatesig: Remove workaround for bitbake taskhash bug
ptest-runner: Fix license as it contains 'or later' clause
libdnf: Fix license as it contains 'or later' clause
alsa-utils: Fix license to GPLv2 only
overview-manual-concepts: Fix the compiler bootstrap process
bitbake: Add missing documentation Makefile
oeqa/commands: Fix compatibility with python 3.9
fs-perms: Ensure /usr/src/debug/ file modes are correct
e2fsprogs: Fix a ptest permissions determinism issue
uninative: Don't use single sstate for pseudo-native
Robert P. J. Day (3):
ref-manual/ref-variables: "PACKAGE_FEEDS_ARCHS" -> "PACKAGE_FEED_ARCHS"
README: "yocto-project-qs" -> "brief-yoctoprojectqs"
adt-manual: delete obsolete ADT manual, and related content
Ross Burton (13):
rpm: use libgcrypt instead of OpenSSL for cryptography
syslinux: add link to upstream discussion in patch
json-glib: use PACKAGECONFIG for tests
json-glib: update patch status
libical: backport a patch to fix build with ICU 68.1
webkitgtk: fix build with ICU 68.1
cve-check: show real PN/PV
python3: add CVE-2007-4559 to whitelist
sqlite3: add CVE-2015-3717 to whitelist
gstreamer1.0-rtsp-server: set CVE_PRODUCT
gstreamer1.0-plugins-base: set CVE_PRODUCT
bitbake: providers: selected version not available should be a warning
cve-update-db-native: handle all-wildcard versions
Saul Wold (1):
classes/buildhistory: record LICENSE
Sinan Kaya (2):
volatile-binds: add /srv to mount and install
kernel-uboot: allow compression option to be configurable
Stacy Gaikovaia (1):
valgrind: helgrind: Intercept libc functions
Steve Sakoman (3):
netbase: update SRC_URI to reflect new file name
openssh: whitelist CVE-2014-9278
cups: whitelist CVE-2018-6553
Tim Orling (22):
python3-atomicwrites: move from meta-python
python3-attrs: move from meta-python
python3-iniconfig: move from meta-python
python3-more-itertools: move from meta-python
python3-pathlib2: move from meta-python
python3-toml: move from meta-python
python3-py: move from meta-python
python3-setuptools-scm: move from meta-python
python3-packaging: move from meta-python
python3-wcwidth: move from meta-python
python3-zipp: move from meta-python
python3-importlib-metadata: move from meta-python
python3-pluggy: move from meta-python
python3-pytest: move from meta-python
maintainers.inc: add self for new pytest packages
python3-more-itertools: upgrade 8.5.0 -> 8.6.0
python3-importlib-metadata: upgrade 2.0.0 to 3.1.0
python3-pytest: RDEPENDS on python3-toml
python3-hypothesis: move from meta-python
python3-sortedcontainers: move from meta-python
maintainers.inc: add self for new python recipes
python3-hypothesis: upgrade 5.41.3 -> 5.41.4
Tom Hochstein (1):
mesa: Add xcb-fixes to loader when using x11 and dri3
Vyacheslav Yurkov (1):
license_image.bbclass: use canonical name for license files
Wonmin Jung (1):
kernel: Set proper LD in KERNEL_KCONFIG_COMMAND
Yann Dirson (6):
systemtap: split examples and python scripts out of main package
systemtap: remove extra dependencies
systemtap: clarify the relation between exporter and python3-probes feature
systemtap: fix install when python3-probes is disabled in PACKAGECONFIG
systemtap: split runtime material in its own package
systemtap: avoid RDEPENDS on python3-core when not using python3
Yann E. MORIN (2):
common-licenses: add bzip2-1.0.4
recipes-core/busybox: fixup licensing information
Yi Zhao (5):
resolvconf: do not install dhclient hooks
connman: set service to conflict with systemd-networkd
pulseaudio: unify volatiles file name
dhcpcd: install dhcpcd to /sbin rather than /usr/sbin
dhcpcd: upgrade 9.3.1 -> 9.3.2
Yongxin Liu (2):
grub: fix several CVEs in grub 2.04
grub: clean up CVE patches
zangrc (18):
python3-pycairo: upgrade 1.19.1 -> 1.20.0
iproute2: upgrade 5.8.0 -> 5.9.0
icu: upgrade 67.1 -> 68.1
libdnf: upgrade 0.54.2 -> 0.55.0
libinput: upgrade 1.16.2 -> 1.16.3
enchant2: upgrade 2.2.12 -> 2.2.13
libdrm: upgrade 2.4.102 -> 2.4.103
gmp: upgrade 6.2.0 -> 6.2.1
gpgme: upgrade 1.14.0 -> 1.15.0
libunwind: upgrade 1.4.0 -> 1.5.0
msmtp: upgrade 1.8.12 -> 1.8.13
gtk-doc: upgrade 1.33.0 -> 1.33.1
hdparm: upgrade 9.58 -> 9.60
libcap-ng: upgrade 0.8 -> 0.8.1
libjpeg-turbo: upgrade 2.0.5 -> 2.0.6
libxkbcommon: upgrade 1.0.1 -> 1.0.3
pulseaudio: upgrade 13.0 -> 14.0
wireless-regdb: upgrade 2020.04.29 -> 2020.11.20
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I22fa6c7160be5ff2105113cc63acc25f8977ae4e
diff --git a/poky/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch b/poky/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch
new file mode 100644
index 0000000..896a214
--- /dev/null
+++ b/poky/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch
@@ -0,0 +1,1330 @@
+From eb77d1ef65e25746acff43545f62a71360b15eec Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 15 Jun 2020 12:28:27 -0400
+Subject: [PATCH 6/9] malloc: Use overflow checking primitives where we do
+ complex allocations
+
+This attempts to fix the places where we do the following where
+arithmetic_expr may include unvalidated data:
+
+ X = grub_malloc(arithmetic_expr);
+
+It accomplishes this by doing the arithmetic ahead of time using grub_add(),
+grub_sub(), grub_mul() and testing for overflow before proceeding.
+
+Among other issues, this fixes:
+ - allocation of integer overflow in grub_video_bitmap_create()
+ reported by Chris Coulson,
+ - allocation of integer overflow in grub_png_decode_image_header()
+ reported by Chris Coulson,
+ - allocation of integer overflow in grub_squash_read_symlink()
+ reported by Chris Coulson,
+ - allocation of integer overflow in grub_ext2_read_symlink()
+ reported by Chris Coulson,
+ - allocation of integer overflow in read_section_as_string()
+ reported by Chris Coulson.
+
+Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3f05d693d1274965ffbe4ba99080dc2c570944c6
+
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/commands/legacycfg.c | 29 +++++++++++++++++++-----
+ grub-core/commands/wildcard.c | 36 ++++++++++++++++++++++++-----
+ grub-core/disk/ldm.c | 32 ++++++++++++++++++--------
+ grub-core/font/font.c | 7 +++++-
+ grub-core/fs/btrfs.c | 28 +++++++++++++++--------
+ grub-core/fs/ext2.c | 10 ++++++++-
+ grub-core/fs/iso9660.c | 51 +++++++++++++++++++++++++++++-------------
+ grub-core/fs/sfs.c | 27 +++++++++++++++++-----
+ grub-core/fs/squash4.c | 45 ++++++++++++++++++++++++++++---------
+ grub-core/fs/udf.c | 41 +++++++++++++++++++++------------
+ grub-core/fs/xfs.c | 11 +++++----
+ grub-core/fs/zfs/zfs.c | 22 ++++++++++++------
+ grub-core/fs/zfs/zfscrypt.c | 7 +++++-
+ grub-core/lib/arg.c | 20 +++++++++++++++--
+ grub-core/loader/i386/bsd.c | 8 ++++++-
+ grub-core/net/dns.c | 9 +++++++-
+ grub-core/normal/charset.c | 10 +++++++--
+ grub-core/normal/cmdline.c | 14 ++++++++++--
+ grub-core/normal/menu_entry.c | 13 +++++++++--
+ grub-core/script/argv.c | 16 +++++++++++--
+ grub-core/script/lexer.c | 21 ++++++++++++++---
+ grub-core/video/bitmap.c | 25 +++++++++++++--------
+ grub-core/video/readers/png.c | 13 +++++++++--
+ 23 files changed, 382 insertions(+), 113 deletions(-)
+
+diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c
+index 5e3ec0d..cc5971f 100644
+--- a/grub-core/commands/legacycfg.c
++++ b/grub-core/commands/legacycfg.c
+@@ -32,6 +32,7 @@
+ #include <grub/auth.h>
+ #include <grub/disk.h>
+ #include <grub/partition.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -104,13 +105,22 @@ legacy_file (const char *filename)
+ if (newsuffix)
+ {
+ char *t;
+-
++ grub_size_t sz;
++
++ if (grub_add (grub_strlen (suffix), grub_strlen (newsuffix), &sz) ||
++ grub_add (sz, 1, &sz))
++ {
++ grub_errno = GRUB_ERR_OUT_OF_RANGE;
++ goto fail_0;
++ }
++
+ t = suffix;
+- suffix = grub_realloc (suffix, grub_strlen (suffix)
+- + grub_strlen (newsuffix) + 1);
++ suffix = grub_realloc (suffix, sz);
+ if (!suffix)
+ {
+ grub_free (t);
++
++ fail_0:
+ grub_free (entrysrc);
+ grub_free (parsed);
+ grub_free (newsuffix);
+@@ -154,13 +164,22 @@ legacy_file (const char *filename)
+ else
+ {
+ char *t;
++ grub_size_t sz;
++
++ if (grub_add (grub_strlen (entrysrc), grub_strlen (parsed), &sz) ||
++ grub_add (sz, 1, &sz))
++ {
++ grub_errno = GRUB_ERR_OUT_OF_RANGE;
++ goto fail_1;
++ }
+
+ t = entrysrc;
+- entrysrc = grub_realloc (entrysrc, grub_strlen (entrysrc)
+- + grub_strlen (parsed) + 1);
++ entrysrc = grub_realloc (entrysrc, sz);
+ if (!entrysrc)
+ {
+ grub_free (t);
++
++ fail_1:
+ grub_free (parsed);
+ grub_free (suffix);
+ return grub_errno;
+diff --git a/grub-core/commands/wildcard.c b/grub-core/commands/wildcard.c
+index 4a106ca..cc32903 100644
+--- a/grub-core/commands/wildcard.c
++++ b/grub-core/commands/wildcard.c
+@@ -23,6 +23,7 @@
+ #include <grub/file.h>
+ #include <grub/device.h>
+ #include <grub/script_sh.h>
++#include <grub/safemath.h>
+
+ #include <regex.h>
+
+@@ -48,6 +49,7 @@ merge (char **dest, char **ps)
+ int i;
+ int j;
+ char **p;
++ grub_size_t sz;
+
+ if (! dest)
+ return ps;
+@@ -60,7 +62,12 @@ merge (char **dest, char **ps)
+ for (j = 0; ps[j]; j++)
+ ;
+
+- p = grub_realloc (dest, sizeof (char*) * (i + j + 1));
++ if (grub_add (i, j, &sz) ||
++ grub_add (sz, 1, &sz) ||
++ grub_mul (sz, sizeof (char *), &sz))
++ return dest;
++
++ p = grub_realloc (dest, sz);
+ if (! p)
+ {
+ grub_free (dest);
+@@ -115,8 +122,15 @@ make_regex (const char *start, const char *end, regex_t *regexp)
+ char ch;
+ int i = 0;
+ unsigned len = end - start;
+- char *buffer = grub_malloc (len * 2 + 2 + 1); /* worst case size. */
++ char *buffer;
++ grub_size_t sz;
+
++ /* Worst case size is (len * 2 + 2 + 1). */
++ if (grub_mul (len, 2, &sz) ||
++ grub_add (sz, 3, &sz))
++ return 1;
++
++ buffer = grub_malloc (sz);
+ if (! buffer)
+ return 1;
+
+@@ -226,6 +240,7 @@ match_devices_iter (const char *name, void *data)
+ struct match_devices_ctx *ctx = data;
+ char **t;
+ char *buffer;
++ grub_size_t sz;
+
+ /* skip partitions if asked to. */
+ if (ctx->noparts && grub_strchr (name, ','))
+@@ -239,11 +254,16 @@ match_devices_iter (const char *name, void *data)
+ if (regexec (ctx->regexp, buffer, 0, 0, 0))
+ {
+ grub_dprintf ("expand", "not matched\n");
++ fail:
+ grub_free (buffer);
+ return 0;
+ }
+
+- t = grub_realloc (ctx->devs, sizeof (char*) * (ctx->ndev + 2));
++ if (grub_add (ctx->ndev, 2, &sz) ||
++ grub_mul (sz, sizeof (char *), &sz))
++ goto fail;
++
++ t = grub_realloc (ctx->devs, sz);
+ if (! t)
+ {
+ grub_free (buffer);
+@@ -300,6 +320,7 @@ match_files_iter (const char *name,
+ struct match_files_ctx *ctx = data;
+ char **t;
+ char *buffer;
++ grub_size_t sz;
+
+ /* skip . and .. names */
+ if (grub_strcmp(".", name) == 0 || grub_strcmp("..", name) == 0)
+@@ -315,9 +336,14 @@ match_files_iter (const char *name,
+ if (! buffer)
+ return 1;
+
+- t = grub_realloc (ctx->files, sizeof (char*) * (ctx->nfile + 2));
+- if (! t)
++ if (grub_add (ctx->nfile, 2, &sz) ||
++ grub_mul (sz, sizeof (char *), &sz))
++ goto fail;
++
++ t = grub_realloc (ctx->files, sz);
++ if (!t)
+ {
++ fail:
+ grub_free (buffer);
+ return 1;
+ }
+diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
+index e632370..58f8a53 100644
+--- a/grub-core/disk/ldm.c
++++ b/grub-core/disk/ldm.c
+@@ -25,6 +25,7 @@
+ #include <grub/msdos_partition.h>
+ #include <grub/gpt_partition.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+
+ #ifdef GRUB_UTIL
+ #include <grub/emu/misc.h>
+@@ -289,6 +290,7 @@ make_vg (grub_disk_t disk,
+ struct grub_ldm_vblk vblk[GRUB_DISK_SECTOR_SIZE
+ / sizeof (struct grub_ldm_vblk)];
+ unsigned i;
++ grub_size_t sz;
+ err = grub_disk_read (disk, cursec, 0,
+ sizeof(vblk), &vblk);
+ if (err)
+@@ -350,7 +352,13 @@ make_vg (grub_disk_t disk,
+ grub_free (lv);
+ goto fail2;
+ }
+- lv->name = grub_malloc (*ptr + 1);
++ if (grub_add (*ptr, 1, &sz))
++ {
++ grub_free (lv->internal_id);
++ grub_free (lv);
++ goto fail2;
++ }
++ lv->name = grub_malloc (sz);
+ if (!lv->name)
+ {
+ grub_free (lv->internal_id);
+@@ -599,10 +607,13 @@ make_vg (grub_disk_t disk,
+ if (lv->segments->node_alloc == lv->segments->node_count)
+ {
+ void *t;
+- lv->segments->node_alloc *= 2;
+- t = grub_realloc (lv->segments->nodes,
+- sizeof (*lv->segments->nodes)
+- * lv->segments->node_alloc);
++ grub_size_t sz;
++
++ if (grub_mul (lv->segments->node_alloc, 2, &lv->segments->node_alloc) ||
++ grub_mul (lv->segments->node_alloc, sizeof (*lv->segments->nodes), &sz))
++ goto fail2;
++
++ t = grub_realloc (lv->segments->nodes, sz);
+ if (!t)
+ goto fail2;
+ lv->segments->nodes = t;
+@@ -723,10 +734,13 @@ make_vg (grub_disk_t disk,
+ if (comp->segment_alloc == comp->segment_count)
+ {
+ void *t;
+- comp->segment_alloc *= 2;
+- t = grub_realloc (comp->segments,
+- comp->segment_alloc
+- * sizeof (*comp->segments));
++ grub_size_t sz;
++
++ if (grub_mul (comp->segment_alloc, 2, &comp->segment_alloc) ||
++ grub_mul (comp->segment_alloc, sizeof (*comp->segments), &sz))
++ goto fail2;
++
++ t = grub_realloc (comp->segments, sz);
+ if (!t)
+ goto fail2;
+ comp->segments = t;
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 8e118b3..5edb477 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -30,6 +30,7 @@
+ #include <grub/unicode.h>
+ #include <grub/fontformat.h>
+ #include <grub/env.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -360,9 +361,13 @@ static char *
+ read_section_as_string (struct font_file_section *section)
+ {
+ char *str;
++ grub_size_t sz;
+ grub_ssize_t ret;
+
+- str = grub_malloc (section->length + 1);
++ if (grub_add (section->length, 1, &sz))
++ return NULL;
++
++ str = grub_malloc (sz);
+ if (!str)
+ return 0;
+
+diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
+index 11272ef..2b65bd5 100644
+--- a/grub-core/fs/btrfs.c
++++ b/grub-core/fs/btrfs.c
+@@ -40,6 +40,7 @@
+ #include <grub/btrfs.h>
+ #include <grub/crypto.h>
+ #include <grub/diskfilter.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -329,9 +330,13 @@ save_ref (struct grub_btrfs_leaf_descriptor *desc,
+ if (desc->allocated < desc->depth)
+ {
+ void *newdata;
+- desc->allocated *= 2;
+- newdata = grub_realloc (desc->data, sizeof (desc->data[0])
+- * desc->allocated);
++ grub_size_t sz;
++
++ if (grub_mul (desc->allocated, 2, &desc->allocated) ||
++ grub_mul (desc->allocated, sizeof (desc->data[0]), &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++
++ newdata = grub_realloc (desc->data, sz);
+ if (!newdata)
+ return grub_errno;
+ desc->data = newdata;
+@@ -622,16 +627,21 @@ find_device (struct grub_btrfs_data *data, grub_uint64_t id)
+ if (data->n_devices_attached > data->n_devices_allocated)
+ {
+ void *tmp;
+- data->n_devices_allocated = 2 * data->n_devices_attached + 1;
+- data->devices_attached
+- = grub_realloc (tmp = data->devices_attached,
+- data->n_devices_allocated
+- * sizeof (data->devices_attached[0]));
++ grub_size_t sz;
++
++ if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) ||
++ grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) ||
++ grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz))
++ goto fail;
++
++ data->devices_attached = grub_realloc (tmp = data->devices_attached, sz);
+ if (!data->devices_attached)
+ {
++ data->devices_attached = tmp;
++
++ fail:
+ if (ctx.dev_found)
+ grub_device_close (ctx.dev_found);
+- data->devices_attached = tmp;
+ return NULL;
+ }
+ }
+diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c
+index 9b38980..ac33bcd 100644
+--- a/grub-core/fs/ext2.c
++++ b/grub-core/fs/ext2.c
+@@ -46,6 +46,7 @@
+ #include <grub/dl.h>
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -703,6 +704,7 @@ grub_ext2_read_symlink (grub_fshelp_node_t node)
+ {
+ char *symlink;
+ struct grub_fshelp_node *diro = node;
++ grub_size_t sz;
+
+ if (! diro->inode_read)
+ {
+@@ -717,7 +719,13 @@ grub_ext2_read_symlink (grub_fshelp_node_t node)
+ }
+ }
+
+- symlink = grub_malloc (grub_le_to_cpu32 (diro->inode.size) + 1);
++ if (grub_add (grub_le_to_cpu32 (diro->inode.size), 1, &sz))
++ {
++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++ return NULL;
++ }
++
++ symlink = grub_malloc (sz);
+ if (! symlink)
+ return 0;
+
+diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
+index 4f1b52a..7ba5b30 100644
+--- a/grub-core/fs/iso9660.c
++++ b/grub-core/fs/iso9660.c
+@@ -28,6 +28,7 @@
+ #include <grub/fshelp.h>
+ #include <grub/charset.h>
+ #include <grub/datetime.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -531,8 +532,13 @@ add_part (struct iterate_dir_ctx *ctx,
+ int len2)
+ {
+ int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0;
++ grub_size_t sz;
+
+- ctx->symlink = grub_realloc (ctx->symlink, size + len2 + 1);
++ if (grub_add (size, len2, &sz) ||
++ grub_add (sz, 1, &sz))
++ return;
++
++ ctx->symlink = grub_realloc (ctx->symlink, sz);
+ if (! ctx->symlink)
+ return;
+
+@@ -560,17 +566,24 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
+ {
+ grub_size_t off = 0, csize = 1;
+ char *old;
++ grub_size_t sz;
++
+ csize = entry->len - 5;
+ old = ctx->filename;
+ if (ctx->filename_alloc)
+ {
+ off = grub_strlen (ctx->filename);
+- ctx->filename = grub_realloc (ctx->filename, csize + off + 1);
++ if (grub_add (csize, off, &sz) ||
++ grub_add (sz, 1, &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++ ctx->filename = grub_realloc (ctx->filename, sz);
+ }
+ else
+ {
+ off = 0;
+- ctx->filename = grub_zalloc (csize + 1);
++ if (grub_add (csize, 1, &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++ ctx->filename = grub_zalloc (sz);
+ }
+ if (!ctx->filename)
+ {
+@@ -776,14 +789,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
+ if (node->have_dirents >= node->alloc_dirents)
+ {
+ struct grub_fshelp_node *new_node;
+- node->alloc_dirents *= 2;
+- new_node = grub_realloc (node,
+- sizeof (struct grub_fshelp_node)
+- + ((node->alloc_dirents
+- - ARRAY_SIZE (node->dirents))
+- * sizeof (node->dirents[0])));
++ grub_size_t sz;
++
++ if (grub_mul (node->alloc_dirents, 2, &node->alloc_dirents) ||
++ grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) ||
++ grub_mul (sz, sizeof (node->dirents[0]), &sz) ||
++ grub_add (sz, sizeof (struct grub_fshelp_node), &sz))
++ goto fail_0;
++
++ new_node = grub_realloc (node, sz);
+ if (!new_node)
+ {
++ fail_0:
+ if (ctx.filename_alloc)
+ grub_free (ctx.filename);
+ grub_free (node);
+@@ -799,14 +816,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
+ * sizeof (node->dirents[0]) < grub_strlen (ctx.symlink) + 1)
+ {
+ struct grub_fshelp_node *new_node;
+- new_node = grub_realloc (node,
+- sizeof (struct grub_fshelp_node)
+- + ((node->alloc_dirents
+- - ARRAY_SIZE (node->dirents))
+- * sizeof (node->dirents[0]))
+- + grub_strlen (ctx.symlink) + 1);
++ grub_size_t sz;
++
++ if (grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) ||
++ grub_mul (sz, sizeof (node->dirents[0]), &sz) ||
++ grub_add (sz, sizeof (struct grub_fshelp_node) + 1, &sz) ||
++ grub_add (sz, grub_strlen (ctx.symlink), &sz))
++ goto fail_1;
++
++ new_node = grub_realloc (node, sz);
+ if (!new_node)
+ {
++ fail_1:
+ if (ctx.filename_alloc)
+ grub_free (ctx.filename);
+ grub_free (node);
+diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
+index 90f7fb3..de2b107 100644
+--- a/grub-core/fs/sfs.c
++++ b/grub-core/fs/sfs.c
+@@ -26,6 +26,7 @@
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
+ #include <grub/charset.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -307,10 +308,15 @@ grub_sfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
+ if (node->cache && node->cache_size >= node->cache_allocated)
+ {
+ struct cache_entry *e = node->cache;
+- e = grub_realloc (node->cache,node->cache_allocated * 2
+- * sizeof (e[0]));
++ grub_size_t sz;
++
++ if (grub_mul (node->cache_allocated, 2 * sizeof (e[0]), &sz))
++ goto fail;
++
++ e = grub_realloc (node->cache, sz);
+ if (!e)
+ {
++ fail:
+ grub_errno = 0;
+ grub_free (node->cache);
+ node->cache = 0;
+@@ -477,10 +483,16 @@ grub_sfs_create_node (struct grub_fshelp_node **node,
+ grub_size_t len = grub_strlen (name);
+ grub_uint8_t *name_u8;
+ int ret;
++ grub_size_t sz;
++
++ if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) ||
++ grub_add (sz, 1, &sz))
++ return 1;
++
+ *node = grub_malloc (sizeof (**node));
+ if (!*node)
+ return 1;
+- name_u8 = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
++ name_u8 = grub_malloc (sz);
+ if (!name_u8)
+ {
+ grub_free (*node);
+@@ -724,8 +736,13 @@ grub_sfs_label (grub_device_t device, char **label)
+ data = grub_sfs_mount (disk);
+ if (data)
+ {
+- grub_size_t len = grub_strlen (data->label);
+- *label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
++ grub_size_t sz, len = grub_strlen (data->label);
++
++ if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) ||
++ grub_add (sz, 1, &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++
++ *label = grub_malloc (sz);
+ if (*label)
+ *grub_latin1_to_utf8 ((grub_uint8_t *) *label,
+ (const grub_uint8_t *) data->label,
+diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
+index 95d5c1e..7851238 100644
+--- a/grub-core/fs/squash4.c
++++ b/grub-core/fs/squash4.c
+@@ -26,6 +26,7 @@
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
+ #include <grub/deflate.h>
++#include <grub/safemath.h>
+ #include <minilzo.h>
+
+ #include "xz.h"
+@@ -459,7 +460,17 @@ grub_squash_read_symlink (grub_fshelp_node_t node)
+ {
+ char *ret;
+ grub_err_t err;
+- ret = grub_malloc (grub_le_to_cpu32 (node->ino.symlink.namelen) + 1);
++ grub_size_t sz;
++
++ if (grub_add (grub_le_to_cpu32 (node->ino.symlink.namelen), 1, &sz))
++ {
++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++ return NULL;
++ }
++
++ ret = grub_malloc (sz);
++ if (!ret)
++ return NULL;
+
+ err = read_chunk (node->data, ret,
+ grub_le_to_cpu32 (node->ino.symlink.namelen),
+@@ -506,11 +517,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
+
+ {
+ grub_fshelp_node_t node;
+- node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
++ grub_size_t sz;
++
++ if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) ||
++ grub_add (sz, sizeof (*node), &sz))
++ return 0;
++
++ node = grub_malloc (sz);
+ if (!node)
+ return 0;
+- grub_memcpy (node, dir,
+- sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
++ grub_memcpy (node, dir, sz);
+ if (hook (".", GRUB_FSHELP_DIR, node, hook_data))
+ return 1;
+
+@@ -518,12 +534,15 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
+ {
+ grub_err_t err;
+
+- node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
++ if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) ||
++ grub_add (sz, sizeof (*node), &sz))
++ return 0;
++
++ node = grub_malloc (sz);
+ if (!node)
+ return 0;
+
+- grub_memcpy (node, dir,
+- sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
++ grub_memcpy (node, dir, sz);
+
+ node->stsize--;
+ err = read_chunk (dir->data, &node->ino, sizeof (node->ino),
+@@ -557,6 +576,7 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
+ enum grub_fshelp_filetype filetype = GRUB_FSHELP_REG;
+ struct grub_squash_dirent di;
+ struct grub_squash_inode ino;
++ grub_size_t sz;
+
+ err = read_chunk (dir->data, &di, sizeof (di),
+ grub_le_to_cpu64 (dir->data->sb.diroffset)
+@@ -589,13 +609,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
+ if (grub_le_to_cpu16 (di.type) == SQUASH_TYPE_SYMLINK)
+ filetype = GRUB_FSHELP_SYMLINK;
+
+- node = grub_malloc (sizeof (*node)
+- + (dir->stsize + 1) * sizeof (dir->stack[0]));
++ if (grub_add (dir->stsize, 1, &sz) ||
++ grub_mul (sz, sizeof (dir->stack[0]), &sz) ||
++ grub_add (sz, sizeof (*node), &sz))
++ return 0;
++
++ node = grub_malloc (sz);
+ if (! node)
+ return 0;
+
+- grub_memcpy (node, dir,
+- sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
++ grub_memcpy (node, dir, sz - sizeof(dir->stack[0]));
+
+ node->ino = ino;
+ node->stack[node->stsize].ino_chunk = grub_le_to_cpu32 (dh.ino_chunk);
+diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
+index a837616..21ac7f4 100644
+--- a/grub-core/fs/udf.c
++++ b/grub-core/fs/udf.c
+@@ -28,6 +28,7 @@
+ #include <grub/charset.h>
+ #include <grub/datetime.h>
+ #include <grub/udf.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -890,9 +891,19 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf)
+ utf16[i] = (raw[2 * i + 1] << 8) | raw[2*i + 2];
+ }
+ if (!outbuf)
+- outbuf = grub_malloc (utf16len * GRUB_MAX_UTF8_PER_UTF16 + 1);
++ {
++ grub_size_t size;
++
++ if (grub_mul (utf16len, GRUB_MAX_UTF8_PER_UTF16, &size) ||
++ grub_add (size, 1, &size))
++ goto fail;
++
++ outbuf = grub_malloc (size);
++ }
+ if (outbuf)
+ *grub_utf16_to_utf8 ((grub_uint8_t *) outbuf, utf16, utf16len) = '\0';
++
++ fail:
+ grub_free (utf16);
+ return outbuf;
+ }
+@@ -1005,7 +1016,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
+ grub_size_t sz = U64 (node->block.fe.file_size);
+ grub_uint8_t *raw;
+ const grub_uint8_t *ptr;
+- char *out, *optr;
++ char *out = NULL, *optr;
+
+ if (sz < 4)
+ return NULL;
+@@ -1013,14 +1024,16 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
+ if (!raw)
+ return NULL;
+ if (grub_udf_read_file (node, NULL, NULL, 0, sz, (char *) raw) < 0)
+- {
+- grub_free (raw);
+- return NULL;
+- }
++ goto fail_1;
+
+- out = grub_malloc (sz * 2 + 1);
++ if (grub_mul (sz, 2, &sz) ||
++ grub_add (sz, 1, &sz))
++ goto fail_0;
++
++ out = grub_malloc (sz);
+ if (!out)
+ {
++ fail_0:
+ grub_free (raw);
+ return NULL;
+ }
+@@ -1031,17 +1044,17 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
+ {
+ grub_size_t s;
+ if ((grub_size_t) (ptr - raw + 4) > sz)
+- goto fail;
++ goto fail_1;
+ if (!(ptr[2] == 0 && ptr[3] == 0))
+- goto fail;
++ goto fail_1;
+ s = 4 + ptr[1];
+ if ((grub_size_t) (ptr - raw + s) > sz)
+- goto fail;
++ goto fail_1;
+ switch (*ptr)
+ {
+ case 1:
+ if (ptr[1])
+- goto fail;
++ goto fail_1;
+ /* Fallthrough. */
+ case 2:
+ /* in 4 bytes. out: 1 byte. */
+@@ -1066,11 +1079,11 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
+ if (optr != out)
+ *optr++ = '/';
+ if (!read_string (ptr + 4, s - 4, optr))
+- goto fail;
++ goto fail_1;
+ optr += grub_strlen (optr);
+ break;
+ default:
+- goto fail;
++ goto fail_1;
+ }
+ ptr += s;
+ }
+@@ -1078,7 +1091,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
+ grub_free (raw);
+ return out;
+
+- fail:
++ fail_1:
+ grub_free (raw);
+ grub_free (out);
+ grub_error (GRUB_ERR_BAD_FS, "invalid symlink");
+diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
+index 96ffecb..ea65902 100644
+--- a/grub-core/fs/xfs.c
++++ b/grub-core/fs/xfs.c
+@@ -25,6 +25,7 @@
+ #include <grub/dl.h>
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -899,6 +900,7 @@ static struct grub_xfs_data *
+ grub_xfs_mount (grub_disk_t disk)
+ {
+ struct grub_xfs_data *data = 0;
++ grub_size_t sz;
+
+ data = grub_zalloc (sizeof (struct grub_xfs_data));
+ if (!data)
+@@ -913,10 +915,11 @@ grub_xfs_mount (grub_disk_t disk)
+ if (!grub_xfs_sb_valid(data))
+ goto fail;
+
+- data = grub_realloc (data,
+- sizeof (struct grub_xfs_data)
+- - sizeof (struct grub_xfs_inode)
+- + grub_xfs_inode_size(data) + 1);
++ if (grub_add (grub_xfs_inode_size (data),
++ sizeof (struct grub_xfs_data) - sizeof (struct grub_xfs_inode) + 1, &sz))
++ goto fail;
++
++ data = grub_realloc (data, sz);
+
+ if (! data)
+ goto fail;
+diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
+index 381dde5..36d0373 100644
+--- a/grub-core/fs/zfs/zfs.c
++++ b/grub-core/fs/zfs/zfs.c
+@@ -55,6 +55,7 @@
+ #include <grub/deflate.h>
+ #include <grub/crypto.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -773,11 +774,14 @@ fill_vdev_info (struct grub_zfs_data *data,
+ if (data->n_devices_attached > data->n_devices_allocated)
+ {
+ void *tmp;
+- data->n_devices_allocated = 2 * data->n_devices_attached + 1;
+- data->devices_attached
+- = grub_realloc (tmp = data->devices_attached,
+- data->n_devices_allocated
+- * sizeof (data->devices_attached[0]));
++ grub_size_t sz;
++
++ if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) ||
++ grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) ||
++ grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++
++ data->devices_attached = grub_realloc (tmp = data->devices_attached, sz);
+ if (!data->devices_attached)
+ {
+ data->devices_attached = tmp;
+@@ -3468,14 +3472,18 @@ grub_zfs_nvlist_lookup_nvlist (const char *nvlist, const char *name)
+ {
+ char *nvpair;
+ char *ret;
+- grub_size_t size;
++ grub_size_t size, sz;
+ int found;
+
+ found = nvlist_find_value (nvlist, name, DATA_TYPE_NVLIST, &nvpair,
+ &size, 0);
+ if (!found)
+ return 0;
+- ret = grub_zalloc (size + 3 * sizeof (grub_uint32_t));
++
++ if (grub_add (size, 3 * sizeof (grub_uint32_t), &sz))
++ return 0;
++
++ ret = grub_zalloc (sz);
+ if (!ret)
+ return 0;
+ grub_memcpy (ret, nvlist, sizeof (grub_uint32_t));
+diff --git a/grub-core/fs/zfs/zfscrypt.c b/grub-core/fs/zfs/zfscrypt.c
+index 1402e0b..de3b015 100644
+--- a/grub-core/fs/zfs/zfscrypt.c
++++ b/grub-core/fs/zfs/zfscrypt.c
+@@ -22,6 +22,7 @@
+ #include <grub/misc.h>
+ #include <grub/disk.h>
+ #include <grub/partition.h>
++#include <grub/safemath.h>
+ #include <grub/dl.h>
+ #include <grub/types.h>
+ #include <grub/zfs/zfs.h>
+@@ -82,9 +83,13 @@ grub_zfs_add_key (grub_uint8_t *key_in,
+ int passphrase)
+ {
+ struct grub_zfs_wrap_key *key;
++ grub_size_t sz;
++
+ if (!passphrase && keylen > 32)
+ keylen = 32;
+- key = grub_malloc (sizeof (*key) + keylen);
++ if (grub_add (sizeof (*key), keylen, &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++ key = grub_malloc (sz);
+ if (!key)
+ return grub_errno;
+ key->is_passphrase = passphrase;
+diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c
+index fd7744a..3288609 100644
+--- a/grub-core/lib/arg.c
++++ b/grub-core/lib/arg.c
+@@ -23,6 +23,7 @@
+ #include <grub/term.h>
+ #include <grub/extcmd.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+
+ /* Built-in parser for default options. */
+ static const struct grub_arg_option help_options[] =
+@@ -216,7 +217,13 @@ static inline grub_err_t
+ add_arg (char ***argl, int *num, char *s)
+ {
+ char **p = *argl;
+- *argl = grub_realloc (*argl, (++(*num) + 1) * sizeof (char *));
++ grub_size_t sz;
++
++ if (grub_add (++(*num), 1, &sz) ||
++ grub_mul (sz, sizeof (char *), &sz))
++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++
++ *argl = grub_realloc (*argl, sz);
+ if (! *argl)
+ {
+ grub_free (p);
+@@ -431,6 +438,7 @@ grub_arg_list_alloc(grub_extcmd_t extcmd, int argc,
+ grub_size_t argcnt;
+ struct grub_arg_list *list;
+ const struct grub_arg_option *options;
++ grub_size_t sz0, sz1;
+
+ options = extcmd->options;
+ if (! options)
+@@ -443,7 +451,15 @@ grub_arg_list_alloc(grub_extcmd_t extcmd, int argc,
+ argcnt += ((grub_size_t) argc + 1) / 2 + 1; /* max possible for any option */
+ }
+
+- list = grub_zalloc (sizeof (*list) * i + sizeof (char*) * argcnt);
++ if (grub_mul (sizeof (*list), i, &sz0) ||
++ grub_mul (sizeof (char *), argcnt, &sz1) ||
++ grub_add (sz0, sz1, &sz0))
++ {
++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++ return 0;
++ }
++
++ list = grub_zalloc (sz0);
+ if (! list)
+ return 0;
+
+diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
+index 3730ed3..b92cbe9 100644
+--- a/grub-core/loader/i386/bsd.c
++++ b/grub-core/loader/i386/bsd.c
+@@ -35,6 +35,7 @@
+ #include <grub/ns8250.h>
+ #include <grub/bsdlabel.h>
+ #include <grub/crypto.h>
++#include <grub/safemath.h>
+ #include <grub/verify.h>
+ #ifdef GRUB_MACHINE_PCBIOS
+ #include <grub/machine/int.h>
+@@ -1012,11 +1013,16 @@ grub_netbsd_add_modules (void)
+ struct grub_netbsd_btinfo_modules *mods;
+ unsigned i;
+ grub_err_t err;
++ grub_size_t sz;
+
+ for (mod = netbsd_mods; mod; mod = mod->next)
+ modcnt++;
+
+- mods = grub_malloc (sizeof (*mods) + sizeof (mods->mods[0]) * modcnt);
++ if (grub_mul (modcnt, sizeof (mods->mods[0]), &sz) ||
++ grub_add (sz, sizeof (*mods), &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++
++ mods = grub_malloc (sz);
+ if (!mods)
+ return grub_errno;
+
+diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
+index e332d5e..906ec7d 100644
+--- a/grub-core/net/dns.c
++++ b/grub-core/net/dns.c
+@@ -22,6 +22,7 @@
+ #include <grub/i18n.h>
+ #include <grub/err.h>
+ #include <grub/time.h>
++#include <grub/safemath.h>
+
+ struct dns_cache_element
+ {
+@@ -51,9 +52,15 @@ grub_net_add_dns_server (const struct grub_net_network_level_address *s)
+ {
+ int na = dns_servers_alloc * 2;
+ struct grub_net_network_level_address *ns;
++ grub_size_t sz;
++
+ if (na < 8)
+ na = 8;
+- ns = grub_realloc (dns_servers, na * sizeof (ns[0]));
++
++ if (grub_mul (na, sizeof (ns[0]), &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++
++ ns = grub_realloc (dns_servers, sz);
+ if (!ns)
+ return grub_errno;
+ dns_servers_alloc = na;
+diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
+index d57fb72..4dfcc31 100644
+--- a/grub-core/normal/charset.c
++++ b/grub-core/normal/charset.c
+@@ -48,6 +48,7 @@
+ #include <grub/unicode.h>
+ #include <grub/term.h>
+ #include <grub/normal.h>
++#include <grub/safemath.h>
+
+ #if HAVE_FONT_SOURCE
+ #include "widthspec.h"
+@@ -464,6 +465,7 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
+ {
+ struct grub_unicode_combining *n;
+ unsigned j;
++ grub_size_t sz;
+
+ if (!haveout)
+ continue;
+@@ -477,10 +479,14 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
+ n = out->combining_inline;
+ else if (out->ncomb > (int) ARRAY_SIZE (out->combining_inline))
+ {
+- n = grub_realloc (out->combining_ptr,
+- sizeof (n[0]) * (out->ncomb + 1));
++ if (grub_add (out->ncomb, 1, &sz) ||
++ grub_mul (sz, sizeof (n[0]), &sz))
++ goto fail;
++
++ n = grub_realloc (out->combining_ptr, sz);
+ if (!n)
+ {
++ fail:
+ grub_errno = GRUB_ERR_NONE;
+ continue;
+ }
+diff --git a/grub-core/normal/cmdline.c b/grub-core/normal/cmdline.c
+index c57242e..de03fe6 100644
+--- a/grub-core/normal/cmdline.c
++++ b/grub-core/normal/cmdline.c
+@@ -28,6 +28,7 @@
+ #include <grub/env.h>
+ #include <grub/i18n.h>
+ #include <grub/charset.h>
++#include <grub/safemath.h>
+
+ static grub_uint32_t *kill_buf;
+
+@@ -307,12 +308,21 @@ cl_insert (struct cmdline_term *cl_terms, unsigned nterms,
+ if (len + (*llen) >= (*max_len))
+ {
+ grub_uint32_t *nbuf;
+- (*max_len) *= 2;
+- nbuf = grub_realloc ((*buf), sizeof (grub_uint32_t) * (*max_len));
++ grub_size_t sz;
++
++ if (grub_mul (*max_len, 2, max_len) ||
++ grub_mul (*max_len, sizeof (grub_uint32_t), &sz))
++ {
++ grub_errno = GRUB_ERR_OUT_OF_RANGE;
++ goto fail;
++ }
++
++ nbuf = grub_realloc ((*buf), sz);
+ if (nbuf)
+ (*buf) = nbuf;
+ else
+ {
++ fail:
+ grub_print_error ();
+ grub_errno = GRUB_ERR_NONE;
+ (*max_len) /= 2;
+diff --git a/grub-core/normal/menu_entry.c b/grub-core/normal/menu_entry.c
+index 1993995..50eef91 100644
+--- a/grub-core/normal/menu_entry.c
++++ b/grub-core/normal/menu_entry.c
+@@ -27,6 +27,7 @@
+ #include <grub/auth.h>
+ #include <grub/i18n.h>
+ #include <grub/charset.h>
++#include <grub/safemath.h>
+
+ enum update_mode
+ {
+@@ -113,10 +114,18 @@ ensure_space (struct line *linep, int extra)
+ {
+ if (linep->max_len < linep->len + extra)
+ {
+- linep->max_len = 2 * (linep->len + extra);
+- linep->buf = grub_realloc (linep->buf, (linep->max_len + 1) * sizeof (linep->buf[0]));
++ grub_size_t sz0, sz1;
++
++ if (grub_add (linep->len, extra, &sz0) ||
++ grub_mul (sz0, 2, &sz0) ||
++ grub_add (sz0, 1, &sz1) ||
++ grub_mul (sz1, sizeof (linep->buf[0]), &sz1))
++ return 0;
++
++ linep->buf = grub_realloc (linep->buf, sz1);
+ if (! linep->buf)
+ return 0;
++ linep->max_len = sz0;
+ }
+
+ return 1;
+diff --git a/grub-core/script/argv.c b/grub-core/script/argv.c
+index 217ec5d..5751fdd 100644
+--- a/grub-core/script/argv.c
++++ b/grub-core/script/argv.c
+@@ -20,6 +20,7 @@
+ #include <grub/mm.h>
+ #include <grub/misc.h>
+ #include <grub/script_sh.h>
++#include <grub/safemath.h>
+
+ /* Return nearest power of two that is >= v. */
+ static unsigned
+@@ -81,11 +82,16 @@ int
+ grub_script_argv_next (struct grub_script_argv *argv)
+ {
+ char **p = argv->args;
++ grub_size_t sz;
+
+ if (argv->args && argv->argc && argv->args[argv->argc - 1] == 0)
+ return 0;
+
+- p = grub_realloc (p, round_up_exp ((argv->argc + 2) * sizeof (char *)));
++ if (grub_add (argv->argc, 2, &sz) ||
++ grub_mul (sz, sizeof (char *), &sz))
++ return 1;
++
++ p = grub_realloc (p, round_up_exp (sz));
+ if (! p)
+ return 1;
+
+@@ -105,13 +111,19 @@ grub_script_argv_append (struct grub_script_argv *argv, const char *s,
+ {
+ grub_size_t a;
+ char *p = argv->args[argv->argc - 1];
++ grub_size_t sz;
+
+ if (! s)
+ return 0;
+
+ a = p ? grub_strlen (p) : 0;
+
+- p = grub_realloc (p, round_up_exp ((a + slen + 1) * sizeof (char)));
++ if (grub_add (a, slen, &sz) ||
++ grub_add (sz, 1, &sz) ||
++ grub_mul (sz, sizeof (char), &sz))
++ return 1;
++
++ p = grub_realloc (p, round_up_exp (sz));
+ if (! p)
+ return 1;
+
+diff --git a/grub-core/script/lexer.c b/grub-core/script/lexer.c
+index c6bd317..5fb0cbd 100644
+--- a/grub-core/script/lexer.c
++++ b/grub-core/script/lexer.c
+@@ -24,6 +24,7 @@
+ #include <grub/mm.h>
+ #include <grub/script_sh.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+
+ #define yytext_ptr char *
+ #include "grub_script.tab.h"
+@@ -110,10 +111,14 @@ grub_script_lexer_record (struct grub_parser_param *parser, char *str)
+ old = lexer->recording;
+ if (lexer->recordlen < len)
+ lexer->recordlen = len;
+- lexer->recordlen *= 2;
++
++ if (grub_mul (lexer->recordlen, 2, &lexer->recordlen))
++ goto fail;
++
+ lexer->recording = grub_realloc (lexer->recording, lexer->recordlen);
+ if (!lexer->recording)
+ {
++ fail:
+ grub_free (old);
+ lexer->recordpos = 0;
+ lexer->recordlen = 0;
+@@ -130,7 +135,7 @@ int
+ grub_script_lexer_yywrap (struct grub_parser_param *parserstate,
+ const char *input)
+ {
+- grub_size_t len = 0;
++ grub_size_t len = 0, sz;
+ char *p = 0;
+ char *line = 0;
+ YY_BUFFER_STATE buffer;
+@@ -168,12 +173,22 @@ grub_script_lexer_yywrap (struct grub_parser_param *parserstate,
+ }
+ else if (len && line[len - 1] != '\n')
+ {
+- p = grub_realloc (line, len + 2);
++ if (grub_add (len, 2, &sz))
++ {
++ grub_free (line);
++ grub_script_yyerror (parserstate, N_("overflow is detected"));
++ return 1;
++ }
++
++ p = grub_realloc (line, sz);
+ if (p)
+ {
+ p[len++] = '\n';
+ p[len] = '\0';
+ }
++ else
++ grub_free (line);
++
+ line = p;
+ }
+
+diff --git a/grub-core/video/bitmap.c b/grub-core/video/bitmap.c
+index b2e0315..6256e20 100644
+--- a/grub-core/video/bitmap.c
++++ b/grub-core/video/bitmap.c
+@@ -23,6 +23,7 @@
+ #include <grub/mm.h>
+ #include <grub/misc.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -58,7 +59,7 @@ grub_video_bitmap_create (struct grub_video_bitmap **bitmap,
+ enum grub_video_blit_format blit_format)
+ {
+ struct grub_video_mode_info *mode_info;
+- unsigned int size;
++ grub_size_t size;
+
+ if (!bitmap)
+ return grub_error (GRUB_ERR_BUG, "invalid argument");
+@@ -137,19 +138,25 @@ grub_video_bitmap_create (struct grub_video_bitmap **bitmap,
+
+ mode_info->pitch = width * mode_info->bytes_per_pixel;
+
+- /* Calculate size needed for the data. */
+- size = (width * mode_info->bytes_per_pixel) * height;
++ /* Calculate size needed for the data. */
++ if (grub_mul (width, mode_info->bytes_per_pixel, &size) ||
++ grub_mul (size, height, &size))
++ {
++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++ goto fail;
++ }
+
+ (*bitmap)->data = grub_zalloc (size);
+ if (! (*bitmap)->data)
+- {
+- grub_free (*bitmap);
+- *bitmap = 0;
+-
+- return grub_errno;
+- }
++ goto fail;
+
+ return GRUB_ERR_NONE;
++
++ fail:
++ grub_free (*bitmap);
++ *bitmap = NULL;
++
++ return grub_errno;
+ }
+
+ /* Frees all resources allocated by bitmap. */
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index 61bd645..0157ff7 100644
+--- a/grub-core/video/readers/png.c
++++ b/grub-core/video/readers/png.c
+@@ -23,6 +23,7 @@
+ #include <grub/mm.h>
+ #include <grub/misc.h>
+ #include <grub/bufio.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -301,9 +302,17 @@ grub_png_decode_image_header (struct grub_png_data *data)
+ data->bpp <<= 1;
+
+ data->color_bits = color_bits;
+- data->row_bytes = data->image_width * data->bpp;
++
++ if (grub_mul (data->image_width, data->bpp, &data->row_bytes))
++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++
+ if (data->color_bits <= 4)
+- data->row_bytes = (data->image_width * data->color_bits + 7) / 8;
++ {
++ if (grub_mul (data->image_width, data->color_bits + 7, &data->row_bytes))
++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++
++ data->row_bytes >>= 3;
++ }
+
+ #ifndef GRUB_CPU_WORDS_BIGENDIAN
+ if (data->is_16bit || data->is_gray || data->is_palette)
+--
+2.14.4
+