From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1owNR9-0006xD-EL for mharc-grub-devel@gnu.org; Sat, 19 Nov 2022 07:59:11 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1owNQz-0006vO-IQ for grub-devel@gnu.org; Sat, 19 Nov 2022 07:59:03 -0500 Received: from mout.gmx.net ([212.227.15.19]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1owNQx-0000iM-U4 for grub-devel@gnu.org; Sat, 19 Nov 2022 07:59:01 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1668862706; bh=xU4b80hZmelOhqKZG0MNfPf4KEcf9Aab7QHDDW55l1w=; h=X-UI-Sender-Class:Date:From:To:Subject:Cc:References:In-Reply-To; b=tuUwuroB8u2Si5tNMbzTqRWy+MYrgQOUMMpicPF1dlpSnh7HJ2r/AzwTqOM7BZ/Xf jpVGAt+TRm2iwg7gyn+b1GAGP5mdeldaVH2gp5D1INEk6SxHA4UKSIGceI7V4S9f0D ElP+Gv+JG9QdIVcEfOuJOtt3Zcs4i49rXQG/FVaOY3rCrXSDdIyW9DTx+CakonbEwN WTRXu+ZP5bnSE0cdoSX2jEtAG5qY0Sj30VcdOOfWVBK8NZgV6OzgXrilto8rwPx78J YXB3ed5nOjxya249oTSB1GtIBg2VzbDbocziT/TSsvmKQHQiTyznFU4a3AOF4h7u6M aFmrKApon8b1g== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from scdbackup.webframe.org ([84.179.236.73]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MAfUo-1olQ7u1eu0-00B5uP; Sat, 19 Nov 2022 13:58:26 +0100 Date: Sat, 19 Nov 2022 13:57:59 +0100 From: "Thomas Schmitt" To: grub-devel@gnu.org Subject: Re: Possible memory fault in fs/iso9660 (correction) Content-Type: text/plain; charset="utf-8" Cc: fengtao40@huawei.com References: <3122440041805325292@scdbackup.webframe.org> In-Reply-To: <3122440041805325292@scdbackup.webframe.org> Message-Id: <31282400423403277134@scdbackup.webframe.org> X-Provags-ID: V03:K1:m1mkM5u7SQKopSRHSBVrLDWUYNK9m+BWkTYub0QQMq9y9HnvFuK iSiPeUjIG4IPTB2kYeIOfeSl3r9rLOlRrRTMYV9+anOOb60VNLlBfOhEbFcgVKqJ8DMjRw0 bQXd7o+UVuzeF1ChYccfYHCM9yxcpAUSQoiTjJrpIotqU/sFtTe38DfYg/V6/8SS5tPEsYG M7PxRa6Qo2RuojFYN8Mhw== UI-OutboundReport: notjunk:1;M01:P0:VEMis3PjWOE=;nmJ+k6EdvRRw9QGZQphnjcR65pW zkrIicHwrZ92gBpSYKTEZQZGuqx9VWjlnWH7ItRMg+OAK8FezLSWUZXW10I4iJ9ZKlcVSuCPL TBGZnREhNL8V3g9NPKgRbnzWwJOvnrTt7VndWisdewGDsK6Ev/SECjbFQACgPoWg4culbJv+7 ebfKHMQ00PdOhsIJaiIA4IXupMMECd7aEWJhNR3H4IYIDSwVk177Y165W8J+vQureaIuSXD3a nl06YFKy5qiPyk+niMgsdcc1M4eVHmfIeAxlpyVUSRYQGxe3uMPMEGfk8OAry0CjTAhEdJ72i YgfaJzMVWq4I4guqZWLCX7x8QnayahHBPNKXNDecNdTXWCalIuLuzRY+uu45X566Fe018C5lU Kq0rYkx2pwW/ky1WxOC/+0WTgN43lY+JNY6aXclKRH7YwKoHyvlXPzFLtJWCBOqs/QJEA5ht2 rJkH9DKLEOYhfaFTu9foesNldRcIHVS++pZ5FieyBbf+RWpPckntl2n7JxtGUVPpfPiqOti+U uPMfdXi7KngnavXClp6DwXrGaJlqMC8wdULBPFNVan+jg68+s2KgnxWapvL0CpHzVIINOSWTL LOQQ7bEC76nONweFCOs6d1wDOOyYp54/RqjuvI419vExdqDbwOC662/RbJSlnEn47e53r0CDf tIwMR5I68eDVg073Xk4bMceEftlEPSP+fcWfLllJOEeUIXktRn02aH2QwmPa9kxBx7jbIgkJ9 DqvMzxI1rVZ/Jkrlwjm3WdyCS6U2atxWudQcAz8j4xXw0deE/554UO34N8Qix5bt26gtoiRBX 5TkCisG7/J07mj/yml8iFHobeISUz8LsjG6N8z4xjHRt1j23oriaYudtPy4/te5wwqYRpqmWJ kcc+rFXovQvAqXuu2FrL5NRsp0LFm3eLdXW4q9V+6m6gdAE7u81PpxtDNSY+tDvaloITpS6FS LIU3NVFUruUutjePnRiBSV4Gckw= Received-SPF: pass client-ip=212.227.15.19; envelope-from=scdbackup@gmx.net; helo=mout.gmx.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Nov 2022 12:59:04 -0000 Hi, i wrote: > I think the loop end condition should use 4 rather than 1: > (char *) entry < (char *) sua + sua_size - 4 && entry->len > 0 Urm ... better "3 rather than 1": (char *) entry < (char *) sua + sua_size - 3 && entry->len > 0 The memory fault by entry->len will appear if entry >= sua + sua_size - 2 (Only good i did not submit a patch attempt. Why is that "- 1" present anyways ? Shall it ensure the presence of entry->type ?) Have a nice day :) Thomas