[syslinux:rockridge] iso9660: Avoid arbitrarily large malloc()s

[syslinux-bot for Thomas Schmitt]

Commit-ID:  44a33fd5e9dbc7d3a789ac9ec912b7a873adaab0
Gitweb:     http://www.syslinux.org/commit/44a33fd5e9dbc7d3a789ac9ec912b7a873adaab0
Author:     Thomas Schmitt <scdbackup at gmx.net>
AuthorDate: Tue, 2 Apr 2013 20:42:08 -0700
Committer:  H. Peter Anvin <hpa at zytor.com>
CommitDate: Tue, 2 Apr 2013 20:42:08 -0700

iso9660: Avoid arbitrarily large malloc()s

After explaining the slightly wasteful usage of malloc()/memcpy()
with multi-block CE entries, i noticed that i did not install a
safety cap on the malloc size.

I could not challenge this in practice but only by gdb manipulation.
My most CE-happy test image has 3 occasions of multi-block CE.
All three only span over 2 blocks each.

---
 core/fs/iso9660/susp_rr.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/core/fs/iso9660/susp_rr.c b/core/fs/iso9660/susp_rr.c
index f609f7f..3d99b74 100644
--- a/core/fs/iso9660/susp_rr.c
+++ b/core/fs/iso9660/susp_rr.c
@@ -201,6 +201,10 @@ static int susp_rr_switch_to_ca(struct susp_rr_iter *iter)
     iter->ce_allocated = 0;
     if (num_blocks > 1) {
 	/* The blocks are expected contiguously. Need to consolidate them. */
+	if (num_blocks > 50) {
+	    dprintf("susp_rr.c: More than 100 KB claimed by a CE entry.\n");
+	    return -1;
+	}
 	iter->ce_data = malloc(num_blocks * 2048);
 	if (susp_rr_is_out_of_mem(iter->ce_data))
 	    return -1;