osdep/unix/hostdisk: Fix signed integer overflow

The potential overflow issue arises at "size += ret;" because "size" is of type ssize_t (signed) while "len" is size_t (unsigned). Repeatedly adding read sizes, "ret", to "size" can potentially exceed the maximum value of ssize_t, causing it to overflow into a negative or incorrect value. The fix is to ensure "len" is within the range of SSIZE_MAX. Fixes: CID 473850 Fixes: CID 473863 Signed-off-by: Lidong Chen <lidong.chen@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2025-06-05 05:03:19 +00:00 · 2025-06-05 05:03:19 +00:00 · 86e8f2c4b0
commit 86e8f2c4b0
parent 438f055819
1 changed files with 6 additions and 0 deletions
--- a/grub-core/osdep/unix/hostdisk.c
+++ b/grub-core/osdep/unix/hostdisk.c
@ -101,6 +101,9 @@ grub_util_fd_read (grub_util_fd_t fd, char *buf, size_t len)
 {
  ssize_t size = 0;

+  if (len > SSIZE_MAX)
+    return -1;
+
  while (len)
    {
      ssize_t ret = read (fd, buf, len);
@ -131,6 +134,9 @@ grub_util_fd_write (grub_util_fd_t fd, const char *buf, size_t len)
 {
  ssize_t size = 0;

+  if (len > SSIZE_MAX)
+    return -1;
+
  while (len)
    {
      ssize_t ret = write (fd, buf, len);