calloc: Use calloc() at most places

This modifies most of the places we do some form of:

  X = malloc(Y * Z);

to use calloc(Y, Z) instead.

Among other issues, this fixes:
  - allocation of integer overflow in grub_png_decode_image_header()
    reported by Chris Coulson,
  - allocation of integer overflow in luks_recover_key()
    reported by Chris Coulson,
  - allocation of integer overflow in grub_lvm_detect()
    reported by Chris Coulson.

Fixes: CVE-2020-14308

Signed-off-by: Peter Jones <[email protected]>
Reviewed-by: Daniel Kiper <[email protected]>

Author: vathpela

grub-core/bus/usb/usbhub.c

@@ -149,8 +149,8 @@ grub_usb_add_hub (grub_usb_device_t dev)
   grub_usb_set_configuration (dev, 1);
 
   dev->nports = hubdesc.portcnt;
-  dev->children = grub_zalloc (hubdesc.portcnt * sizeof (dev->children[0]));
-  dev->ports = grub_zalloc (dev->nports * sizeof (dev->ports[0]));
+  dev->children = grub_calloc (hubdesc.portcnt, sizeof (dev->children[0]));
+  dev->ports = grub_calloc (dev->nports, sizeof (dev->ports[0]));
   if (!dev->children || !dev->ports)
     {
       grub_free (dev->children);
@@ -268,8 +268,8 @@ grub_usb_controller_dev_register_iter (grub_usb_controller_t controller, void *d
 
   /* Query the number of ports the root Hub has.  */
   hub->nports = controller->dev->hubports (controller);
-  hub->devices = grub_zalloc (sizeof (hub->devices[0]) * hub->nports);
-  hub->ports = grub_zalloc (sizeof (hub->ports[0]) * hub->nports);
+  hub->devices = grub_calloc (hub->nports, sizeof (hub->devices[0]));
+  hub->ports = grub_calloc (hub->nports, sizeof (hub->ports[0]));
   if (!hub->devices || !hub->ports)
     {
       grub_free (hub->devices);

grub-core/commands/efi/lsefisystab.c

@@ -73,7 +73,8 @@ grub_cmd_lsefisystab (struct grub_command *cmd __attribute__ ((unused)),
     grub_printf ("Vendor: ");
 
     for (vendor_utf16 = st->firmware_vendor; *vendor_utf16; vendor_utf16++);
-    vendor = grub_malloc (4 * (vendor_utf16 - st->firmware_vendor) + 1);
+    /* Allocate extra 3 bytes to simplify math. */
+    vendor = grub_calloc (4, vendor_utf16 - st->firmware_vendor + 1);
     if (!vendor)
       return grub_errno;
     *grub_utf16_to_utf8 ((grub_uint8_t *) vendor, st->firmware_vendor,

grub-core/commands/legacycfg.c

@@ -314,7 +314,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)),
   if (argc < 2)
     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
 
-  cutargs = grub_malloc (sizeof (cutargs[0]) * (argc - 1));
+  cutargs = grub_calloc (argc - 1, sizeof (cutargs[0]));
   if (!cutargs)
     return grub_errno;
   cutargc = argc - 1;
@@ -436,7 +436,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)),
 	    {
 	      char rbuf[3] = "-r";
 	      bsdargc = cutargc + 2;
-	      bsdargs = grub_malloc (sizeof (bsdargs[0]) * bsdargc);
+	      bsdargs = grub_calloc (bsdargc, sizeof (bsdargs[0]));
 	      if (!bsdargs)
 		{
 		  err = grub_errno;
@@ -559,7 +559,7 @@ grub_cmd_legacy_initrdnounzip (struct grub_command *mycmd __attribute__ ((unused
 	return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("can't find command `%s'"),
 			   "module");
 
-      newargs = grub_malloc ((argc + 1) * sizeof (newargs[0]));
+      newargs = grub_calloc (argc + 1, sizeof (newargs[0]));
       if (!newargs)
 	return grub_errno;
       grub_memcpy (newargs + 1, args, argc * sizeof (newargs[0]));

grub-core/commands/menuentry.c

@@ -154,7 +154,7 @@ grub_normal_add_menu_entry (int argc, const char **args,
     goto fail;
 
   /* Save argc, args to pass as parameters to block arg later. */
-  menu_args = grub_malloc (sizeof (char*) * (argc + 1));
+  menu_args = grub_calloc (argc + 1, sizeof (char *));
   if (! menu_args)
     goto fail;
 

grub-core/commands/nativedisk.c

@@ -195,7 +195,7 @@ grub_cmd_nativedisk (grub_command_t cmd __attribute__ ((unused)),
   else
     path_prefix = prefix;
 
-  mods = grub_malloc (argc * sizeof (mods[0]));
+  mods = grub_calloc (argc, sizeof (mods[0]));
   if (!mods)
     return grub_errno;
 

grub-core/commands/parttool.c

@@ -59,7 +59,13 @@ grub_parttool_register(const char *part_name,
   for (nargs = 0; args[nargs].name != 0; nargs++);
   cur->nargs = nargs;
   cur->args = (struct grub_parttool_argdesc *)
-    grub_malloc ((nargs + 1) * sizeof (struct grub_parttool_argdesc));
+    grub_calloc (nargs + 1, sizeof (struct grub_parttool_argdesc));
+  if (!cur->args)
+    {
+      grub_free (cur);
+      curhandle--;
+      return -1;
+    }
   grub_memcpy (cur->args, args,
 	       (nargs + 1) * sizeof (struct grub_parttool_argdesc));
 
@@ -257,7 +263,7 @@ grub_cmd_parttool (grub_command_t cmd __attribute__ ((unused)),
 	return err;
       }
 
-  parsed = (int *) grub_zalloc (argc * sizeof (int));
+  parsed = (int *) grub_calloc (argc, sizeof (int));
 
   for (i = 1; i < argc; i++)
     if (! parsed[i])
@@ -290,7 +296,7 @@ grub_cmd_parttool (grub_command_t cmd __attribute__ ((unused)),
 	  }
 	ptool = cur;
 	pargs = (struct grub_parttool_args *)
-	  grub_zalloc (ptool->nargs * sizeof (struct grub_parttool_args));
+	  grub_calloc (ptool->nargs, sizeof (struct grub_parttool_args));
 	for (j = i; j < argc; j++)
 	  if (! parsed[j])
 	    {

grub-core/commands/regexp.c

@@ -116,7 +116,7 @@ grub_cmd_regexp (grub_extcmd_context_t ctxt, int argc, char **args)
   if (ret)
     goto fail;
 
-  matches = grub_zalloc (sizeof (*matches) * (regex.re_nsub + 1));
+  matches = grub_calloc (regex.re_nsub + 1, sizeof (*matches));
   if (! matches)
     goto fail;
 

grub-core/commands/search_wrap.c

@@ -122,7 +122,7 @@ grub_cmd_search (grub_extcmd_context_t ctxt, int argc, char **args)
     for (i = 0; state[SEARCH_HINT_BAREMETAL].args[i]; i++)
       nhints++;
 
-  hints = grub_malloc (sizeof (hints[0]) * nhints);
+  hints = grub_calloc (nhints, sizeof (hints[0]));
   if (!hints)
     return grub_errno;
   j = 0;

grub-core/disk/diskfilter.c

@@ -1135,7 +1135,7 @@ grub_diskfilter_make_raid (grub_size_t uuidlen, char *uuid, int nmemb,
   array->lvs->segments->node_count = nmemb;
   array->lvs->segments->raid_member_size = disk_size;
   array->lvs->segments->nodes
-    = grub_zalloc (nmemb * sizeof (array->lvs->segments->nodes[0]));
+    = grub_calloc (nmemb, sizeof (array->lvs->segments->nodes[0]));
   array->lvs->segments->stripe_size = stripe_size;
   for (i = 0; i < nmemb; i++)
     {
@@ -1227,7 +1227,7 @@ insert_array (grub_disk_t disk, const struct grub_diskfilter_pv_id *id,
 	  grub_partition_t p;
 	  for (p = disk->partition; p; p = p->parent)
 	    s++;
-	  pv->partmaps = xmalloc (s * sizeof (pv->partmaps[0]));
+	  pv->partmaps = xcalloc (s, sizeof (pv->partmaps[0]));
 	  s = 0;
 	  for (p = disk->partition; p; p = p->parent)
 	    pv->partmaps[s++] = xstrdup (p->partmap->name);

grub-core/disk/ieee1275/ofdisk.c

@@ -297,7 +297,7 @@ dev_iterate (const struct grub_ieee1275_devalias *alias)
       /* Power machines documentation specify 672 as maximum SAS disks in
          one system. Using a slightly larger value to be safe. */
       table_size = 768;
-      table = grub_malloc (table_size * sizeof (grub_uint64_t));
+      table = grub_calloc (table_size, sizeof (grub_uint64_t));
 
       if (!table)
         {

grub-core/disk/ldm.c

@@ -323,8 +323,8 @@ make_vg (grub_disk_t disk,
 	  lv->segments->type = GRUB_DISKFILTER_MIRROR;
 	  lv->segments->node_count = 0;
 	  lv->segments->node_alloc = 8;
-	  lv->segments->nodes = grub_zalloc (sizeof (*lv->segments->nodes)
-					     * lv->segments->node_alloc);
+	  lv->segments->nodes = grub_calloc (lv->segments->node_alloc,
+					     sizeof (*lv->segments->nodes));
 	  if (!lv->segments->nodes)
 	    goto fail2;
 	  ptr = vblk[i].dynamic;
@@ -543,8 +543,8 @@ make_vg (grub_disk_t disk,
 	    {
 	      comp->segment_alloc = 8;
 	      comp->segment_count = 0;
-	      comp->segments = grub_malloc (sizeof (*comp->segments)
-					    * comp->segment_alloc);
+	      comp->segments = grub_calloc (comp->segment_alloc,
+					    sizeof (*comp->segments));
 	      if (!comp->segments)
 		goto fail2;
 	    }
@@ -590,8 +590,8 @@ make_vg (grub_disk_t disk,
 		}
 	      comp->segments->node_count = read_int (ptr + 1, *ptr);
 	      comp->segments->node_alloc = comp->segments->node_count;
-	      comp->segments->nodes = grub_zalloc (sizeof (*comp->segments->nodes)
-						   * comp->segments->node_alloc);
+	      comp->segments->nodes = grub_calloc (comp->segments->node_alloc,
+						   sizeof (*comp->segments->nodes));
 	      if (!lv->segments->nodes)
 		goto fail2;
 	    }
@@ -1017,7 +1017,7 @@ grub_util_ldm_embed (struct grub_disk *disk, unsigned int *nsectors,
       *nsectors = lv->size;
       if (*nsectors > max_nsectors)
 	*nsectors = max_nsectors;
-      *sectors = grub_malloc (*nsectors * sizeof (**sectors));
+      *sectors = grub_calloc (*nsectors, sizeof (**sectors));
       if (!*sectors)
 	return grub_errno;
       for (i = 0; i < *nsectors; i++)

grub-core/disk/luks.c

@@ -178,7 +178,7 @@ luks_recover_key (grub_disk_t source,
 	&& grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes)
       max_stripes = grub_be_to_cpu32 (header.keyblock[i].stripes);
 
-  split_key = grub_malloc (keysize * max_stripes);
+  split_key = grub_calloc (keysize, max_stripes);
   if (!split_key)
     return grub_errno;
 

grub-core/disk/lvm.c

@@ -210,7 +210,7 @@ grub_lvm_detect (grub_disk_t disk,
      first one.  */
 
   /* Allocate buffer space for the circular worst-case scenario. */
-  metadatabuf = grub_malloc (2 * mda_size);
+  metadatabuf = grub_calloc (2, mda_size);
   if (! metadatabuf)
     goto fail;
 
@@ -465,7 +465,7 @@ grub_lvm_detect (grub_disk_t disk,
 #endif
 		  goto lvs_fail;
 		}
-	      lv->segments = grub_zalloc (sizeof (*seg) * lv->segment_count);
+	      lv->segments = grub_calloc (lv->segment_count, sizeof (*seg));
 	      seg = lv->segments;
 
 	      for (i = 0; i < lv->segment_count; i++)
@@ -522,8 +522,8 @@ grub_lvm_detect (grub_disk_t disk,
 		      if (seg->node_count != 1)
 			seg->stripe_size = grub_lvm_getvalue (&p, "stripe_size = ");
 
-		      seg->nodes = grub_zalloc (sizeof (*stripe)
-						* seg->node_count);
+		      seg->nodes = grub_calloc (seg->node_count,
+						sizeof (*stripe));
 		      stripe = seg->nodes;
 
 		      p = grub_strstr (p, "stripes = [");
@@ -899,7 +899,7 @@ grub_lvm_detect (grub_disk_t disk,
 		break;
 	    if (lv)
 	      {
-		cache->lv->segments = grub_malloc (lv->segment_count * sizeof (*lv->segments));
+		cache->lv->segments = grub_calloc (lv->segment_count, sizeof (*lv->segments));
 		if (!cache->lv->segments)
 		  {
 		    grub_lvm_free_cache_lvs (cache_lvs);
@@ -912,7 +912,7 @@ grub_lvm_detect (grub_disk_t disk,
 		    struct grub_diskfilter_node *nodes = lv->segments[i].nodes;
 		    grub_size_t node_count = lv->segments[i].node_count;
 
-		    cache->lv->segments[i].nodes = grub_malloc (node_count * sizeof (*nodes));
+		    cache->lv->segments[i].nodes = grub_calloc (node_count, sizeof (*nodes));
 		    if (!cache->lv->segments[i].nodes)
 		      {
 			for (j = 0; j < i; ++j)

grub-core/disk/xen/xendisk.c

@@ -426,7 +426,7 @@ grub_xendisk_init (void)
   if (!ctr)
     return;
 
-  virtdisks = grub_malloc (ctr * sizeof (virtdisks[0]));
+  virtdisks = grub_calloc (ctr, sizeof (virtdisks[0]));
   if (!virtdisks)
     return;
   if (grub_xenstore_dir ("device/vbd", fill, &ctr))

grub-core/efiemu/loadcore.c

@@ -201,7 +201,7 @@ grub_efiemu_count_symbols (const Elf_Ehdr *e)
 
   grub_efiemu_nelfsyms = (unsigned) s->sh_size / (unsigned) s->sh_entsize;
   grub_efiemu_elfsyms = (struct grub_efiemu_elf_sym *)
-    grub_malloc (sizeof (struct grub_efiemu_elf_sym) * grub_efiemu_nelfsyms);
+    grub_calloc (grub_efiemu_nelfsyms, sizeof (struct grub_efiemu_elf_sym));
 
   /* Relocators */
   for (i = 0, s = (Elf_Shdr *) ((char *) e + e->e_shoff);

grub-core/efiemu/mm.c

@@ -554,11 +554,11 @@ grub_efiemu_mmap_sort_and_uniq (void)
   /* Initialize variables*/
   grub_memset (present, 0, sizeof (int) * GRUB_EFI_MAX_MEMORY_TYPE);
   scanline_events = (struct grub_efiemu_mmap_scan *)
-    grub_malloc (sizeof (struct grub_efiemu_mmap_scan) * 2 * mmap_num);
+    grub_calloc (mmap_num, sizeof (struct grub_efiemu_mmap_scan) * 2);
 
   /* Number of chunks can't increase more than by factor of 2 */
   result = (grub_efi_memory_descriptor_t *)
-    grub_malloc (sizeof (grub_efi_memory_descriptor_t) * 2 * mmap_num);
+    grub_calloc (mmap_num, sizeof (grub_efi_memory_descriptor_t) * 2);
   if (!result || !scanline_events)
     {
       grub_free (result);
@@ -660,7 +660,7 @@ grub_efiemu_mm_do_alloc (void)
 
   /* Preallocate mmap */
   efiemu_mmap = (grub_efi_memory_descriptor_t *)
-    grub_malloc (mmap_reserved_size * sizeof (grub_efi_memory_descriptor_t));
+    grub_calloc (mmap_reserved_size, sizeof (grub_efi_memory_descriptor_t));
   if (!efiemu_mmap)
     {
       grub_efiemu_unload ();

grub-core/font/font.c

@@ -293,8 +293,7 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct
   font->num_chars = sect_length / FONT_CHAR_INDEX_ENTRY_SIZE;
 
   /* Allocate the character index array.  */
-  font->char_index = grub_malloc (font->num_chars
-				  * sizeof (struct char_index_entry));
+  font->char_index = grub_calloc (font->num_chars, sizeof (struct char_index_entry));
   if (!font->char_index)
     return 1;
   font->bmp_idx = grub_malloc (0x10000 * sizeof (grub_uint16_t));

grub-core/fs/affs.c

@@ -301,7 +301,7 @@ grub_affs_read_symlink (grub_fshelp_node_t node)
       return 0;
     }
   latin1[symlink_size] = 0;
-  utf8 = grub_malloc (symlink_size * GRUB_MAX_UTF8_PER_LATIN1 + 1);
+  utf8 = grub_calloc (GRUB_MAX_UTF8_PER_LATIN1 + 1, symlink_size);
   if (!utf8)
     {
       grub_free (latin1);
@@ -422,7 +422,7 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
 	return 1;
     }
 
-  hashtable = grub_zalloc (data->htsize * sizeof (*hashtable));
+  hashtable = grub_calloc (data->htsize, sizeof (*hashtable));
   if (!hashtable)
     return 1;
 
@@ -628,7 +628,7 @@ grub_affs_label (grub_device_t device, char **label)
       len = file.namelen;
       if (len > sizeof (file.name))
 	len = sizeof (file.name);
-      *label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
+      *label = grub_calloc (GRUB_MAX_UTF8_PER_LATIN1 + 1, len);
       if (*label)
 	*grub_latin1_to_utf8 ((grub_uint8_t *) *label, file.name, len) = '\0';
     }

grub-core/fs/btrfs.c

@@ -415,7 +415,7 @@ lower_bound (struct grub_btrfs_data *data,
     {
       desc->allocated = 16;
       desc->depth = 0;
-      desc->data = grub_malloc (sizeof (desc->data[0]) * desc->allocated);
+      desc->data = grub_calloc (desc->allocated, sizeof (desc->data[0]));
       if (!desc->data)
 	return grub_errno;
     }
@@ -754,7 +754,7 @@ raid56_read_retry (struct grub_btrfs_data *data,
   grub_err_t ret = GRUB_ERR_OUT_OF_MEMORY;
   grub_uint64_t i, failed_devices;
 
-  buffers = grub_zalloc (sizeof(*buffers) * nstripes);
+  buffers = grub_calloc (nstripes, sizeof (*buffers));
   if (!buffers)
     goto cleanup;
 
@@ -2167,7 +2167,7 @@ grub_btrfs_embed (grub_device_t device __attribute__ ((unused)),
   *nsectors = 64 * 2 - 1;
   if (*nsectors > max_nsectors)
     *nsectors = max_nsectors;
-  *sectors = grub_malloc (*nsectors * sizeof (**sectors));
+  *sectors = grub_calloc (*nsectors, sizeof (**sectors));
   if (!*sectors)
     return grub_errno;
   for (i = 0; i < *nsectors; i++)

grub-core/fs/hfs.c

@@ -1360,7 +1360,7 @@ grub_hfs_label (grub_device_t device, char **label)
       grub_size_t len = data->sblock.volname[0];
       if (len > sizeof (data->sblock.volname) - 1)
 	len = sizeof (data->sblock.volname) - 1;
-      *label = grub_malloc (len * MAX_UTF8_PER_MAC_ROMAN + 1);
+      *label = grub_calloc (MAX_UTF8_PER_MAC_ROMAN + 1, len);
       if (*label)
 	macroman_to_utf8 (*label, data->sblock.volname + 1,
 			  len + 1, 0);

grub-core/fs/hfsplus.c

@@ -720,7 +720,7 @@ list_nodes (void *record, void *hook_arg)
   if (! filename)
     return 0;
 
-  keyname = grub_malloc (grub_be_to_cpu16 (catkey->namelen) * sizeof (*keyname));
+  keyname = grub_calloc (grub_be_to_cpu16 (catkey->namelen), sizeof (*keyname));
   if (!keyname)
     {
       grub_free (filename);
@@ -1007,7 +1007,7 @@ grub_hfsplus_label (grub_device_t device, char **label)
     grub_hfsplus_btree_recptr (&data->catalog_tree, node, ptr);
 
   label_len = grub_be_to_cpu16 (catkey->namelen);
-  label_name = grub_malloc (label_len * sizeof (*label_name));
+  label_name = grub_calloc (label_len, sizeof (*label_name));
   if (!label_name)
     {
       grub_free (node);
@@ -1029,7 +1029,7 @@ grub_hfsplus_label (grub_device_t device, char **label)
 	}
     }
 
-  *label = grub_malloc (label_len * GRUB_MAX_UTF8_PER_UTF16 + 1);
+  *label = grub_calloc (label_len, GRUB_MAX_UTF8_PER_UTF16 + 1);
   if (! *label)
     {
       grub_free (label_name);