From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1q51Jp-0003uY-No for mharc-grub-devel@gnu.org; Fri, 02 Jun 2023 05:43:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q51Jf-0003sf-T0 for grub-devel@gnu.org; Fri, 02 Jun 2023 05:43:28 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q51Jc-0001ye-M2 for grub-devel@gnu.org; Fri, 02 Jun 2023 05:43:27 -0400 Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 351NtwLO030622 for ; Fri, 2 Jun 2023 09:43:18 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : in-reply-to : references : date : message-id : content-type : mime-version; s=corp-2023-03-30; bh=uYKg4PurlMOVidBGWtXV9MIIUWPSpQtveVWUnFsvZ10=; b=rlDHbxkk9T+UJAJlqxg97T1IxZ+dvKQ2mz+JEGVYApyAJLJfls99bIwzk3MEuP94T2wj RYYq/vZn/HoHF17MzF6NrB3pW0NfCclsRsa0w/NRTitwqX8mDWSPzSgNvTQzBJHTmL6t 8cUwV+eedzHbQZmnIADUBQ5YKNjAsZILLvL2IxH4xFnVp5dKTH3l5TEWkJEOZI/fMxUM BPQN7/MCY+5wxKAbZ923QpqawkyE6gr/BLkvgxjq99JWkFI7bhpIgpk1nvEweR62gFf9 z6FFs7qCjzby7evi6/wkKqTmKIzYkGg+wzzraI2LhMTJqm43aFzJByUE7dMLHgiSX1nG oQ== Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta03.appoci.oracle.com [138.1.37.129]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3qvhmetk9c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 02 Jun 2023 09:43:17 +0000 Received: from pps.filterd (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 3528gu51030008 for ; Fri, 2 Jun 2023 09:43:16 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2174.outbound.protection.outlook.com [104.47.59.174]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3qu8a93kbh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 02 Jun 2023 09:43:16 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gsuaPGltYU/p7Mr5qVgnK7FEgIxi1Ao+bZnRIQUaDBiXHspgLLYePph/mMjndahxk2Ic/OpBADhCvSCj4QAUusAGO9YycWApbI6GHsvMUPA7HcBuGxy0ezHNMIi6qALQ2jHwmG9VVUktoBfx1XgQm9vdlYs6dFZlwzEPf8Se+bADfRWK5VN+3aKnG6GFrMFAEDwNhFbOqscsawcoUaBm1VgRf1WhgNjRVissHNP3ikkiewjY7Mjkv/bWE2VkRRaqejQiakXNGhdXrkxq4YLR0Qct6AdhUSKCXE8xRGy+N3D/Mv+ncpw+c0lxtBLDWUu7QToYjmixtnbrXYOnhsjH/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uYKg4PurlMOVidBGWtXV9MIIUWPSpQtveVWUnFsvZ10=; b=JYaciF4K50a1tbtEXJqwVG+cRXI7aOP8kjtmDrN5Uu2+EmHwQH4fRW0jY5XK8ozguqjy1yoU8kqL64BQ5D6n6boLzK2UuMPPLAqDEzx5RcG8qUNZD3cD0NpWi5VZ7cCeTLRvZEZlB4mQVpLgCdQw7QmwJzxY49Dq28+Fg6+u6DKaizLOtqiwmXhXiYISt8eGfyCrL5RydBFFZUcHOrzYRlw0JRxgJ9hOlYQ2aN6WiCWULWAzeqyRT190z3asIppWRToJvDWCXx5nHqhl7K7gThYTTyUE1wqJj/92RZVi1s+PomvyiMv34F0lQxJzliICNY7UN3lqXrk+Wezyzv7Tig== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uYKg4PurlMOVidBGWtXV9MIIUWPSpQtveVWUnFsvZ10=; b=u8MhcY9omexv+7VxzdnKhqR4hlQURtHC7PiXB2PPlj/iiZk9zDAevmXX8+TgmrddSBdLwKRO3QOVgTX9bC4VSt6Wn5wRwPt5J++0CZMvBEf1lVpI+dhY0PvbNMbxRAZmQHq+EbG8D/jjopCYhr7JZpCqVEcnfd7LRgI97dJSO8w= Received: from BLAPR10MB5138.namprd10.prod.outlook.com (2603:10b6:208:322::8) by DM4PR10MB6837.namprd10.prod.outlook.com (2603:10b6:8:107::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6433.26; Fri, 2 Jun 2023 09:43:14 +0000 Received: from BLAPR10MB5138.namprd10.prod.outlook.com ([fe80::8ed9:9d1:444a:c3d1]) by BLAPR10MB5138.namprd10.prod.outlook.com ([fe80::8ed9:9d1:444a:c3d1%6]) with mapi id 15.20.6455.024; Fri, 2 Jun 2023 09:43:14 +0000 From: Darren Kenny To: Lidong Chen , grub-devel@gnu.org Cc: daniel.kiper@oracle.com, lidong.chen@oracle.com Subject: Re: [PATCH 1/1] fs/udf: Fix out of bounds access In-Reply-To: <97ee94e6423f8128ee81c1d29dd38cb6caabe3c6.1685643940.git.lidong.chen@oracle.com> References: <97ee94e6423f8128ee81c1d29dd38cb6caabe3c6.1685643940.git.lidong.chen@oracle.com> Date: Fri, 02 Jun 2023 10:43:10 +0100 Message-ID: Content-Type: text/plain X-ClientProxiedBy: DB6P18901CA0020.EURP189.PROD.OUTLOOK.COM (2603:10a6:4:16::30) To BLAPR10MB5138.namprd10.prod.outlook.com (2603:10b6:208:322::8) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BLAPR10MB5138:EE_|DM4PR10MB6837:EE_ X-MS-Office365-Filtering-Correlation-Id: 0da84ebd-b03d-4c10-cf83-08db634dc907 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: bVgtDcc48bQXbH3yDoNxzNhf3HIP2q0gkJBzIXyi+qzT1BocaWvi8poi8TxMubzzWdLluwl+eu+NYaiU60SNPvWNkV2y81gveoZEHFcLlcHMS7QlkefFmbhZzNCYkPuKWarcZ78+JOdHZyh3pfJ5iwMf+KcTlcoz861UWa535u2epFBLz2EcIjsjP+Sx4myo/5ORv/DMNimQrwxjsiKSfoR/B7zq8n8pMiMEqBjhbomfJzzzUctdKPEuibfID2LXizydsN4DL8OaBA87ntITvAz94M/LkbN6hseQijf7u0cIhsTqpllV/kQV/6sTNg4FosGqzEyr314HMBtEF2GTFcs6z88E6QPORq067Dw82sSuvt69A3EIAcQzfT0nNBwVv0v1L45o3aovL+3qQYwHcjgFE5vGujOXu26EiTaQafXaMVqd1xnCyasrcwdFWA14oWtd3tvzdzxLhXM9WL0MdF43CKdaKthI0Qef0cxLL2hDFjlTZtwT5OV7tICIw/miRicuL+T4PSKQEZXPeuBn83xjA3URcK1CUT7t5YM131I= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BLAPR10MB5138.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(396003)(346002)(136003)(376002)(366004)(39860400002)(451199021)(107886003)(6512007)(26005)(6506007)(4326008)(966005)(38100700002)(41300700001)(83380400001)(316002)(66556008)(66476007)(66946007)(478600001)(186003)(2906002)(6666004)(36756003)(6486002)(44832011)(86362001)(5660300002)(8936002)(8676002)(2616005); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?5rL+EKCO0J49tn2w3aGDfeBEqXA+zrIBhMUL9Ls114MWkDe4iP0H7wsI0LHr?= =?us-ascii?Q?wPv3+i1JrbfdrXKW7at1KtxrlPdbfZyNI8EzjkRgknLgu3+W5Shas9m//BXJ?= =?us-ascii?Q?7QipNTYdJIxTrSYDUZmhjowugeP/AlGN53Rsy5J9eLP2h1DKMZVRISG+tWQo?= =?us-ascii?Q?n6wap6CHTxu37JSVwpoAM2/7ZLAH2Q0T8Hrc/BN6PlD7vuy1tQx9aCx/yZu+?= =?us-ascii?Q?BeEt3/AEMfhIUgpz48cG6doiw0ymM3Zf+f129og6LQytjHtdYGWIVndtqp4s?= =?us-ascii?Q?B6654xY2+ivGj40wMltNWNDqUq7Tx8XIup+OJmOU592MmgE431VVHBH2LTRT?= =?us-ascii?Q?PgqM81aYcvF8u/IdFcVKg/MozvzggBvUj7QrlXokFcG2YBBRFsLo5uEKu3JC?= =?us-ascii?Q?l6beuY05VFdhq5C4XWG6v0nsExmnd5U2lBpAaLie4XwwfNoxVml9dPXSvBBU?= =?us-ascii?Q?/Y6U5wsl8zQPXi4coDzQJGp6m2HHgICl8hTnUUlQ1rWlWThXpqRxEci22PrM?= =?us-ascii?Q?VEDwH9fg4M53sAjGmdXaVbI9rXG1iyzRw0DcDijQrJlPfpw4cRjyeqjMH8Gj?= =?us-ascii?Q?XDSNvaKzU659wLfLxFFd9qEVCQ2fhYU9/KhGbl1zxniYFYlAdLabKUB18xjx?= =?us-ascii?Q?WVfPTtNh53yXHOJLwwAA7wxzVwBwBrMyJjdeL/FGgMz4f2VteguHX5xfH5s/?= =?us-ascii?Q?XWAkQM3aWDQYsYSpwkVqspwiW7V2yYJZpS+HUZgRTy3XPw7gRAVuoPbkTEzJ?= =?us-ascii?Q?/P7W7vKBDsUKeQAEsPqm3+DQ1NMujKcGHMgqRkxsVAV7t68SC2A6vDHxi0TV?= =?us-ascii?Q?EPhf5f6VKUIuQuAuKI6ogYiBEkTHIwwKn2jZNqR7qFKJCYYDOCbroCf2u70c?= =?us-ascii?Q?ohBpFi3+bu5G6mCKnB/zt886WCE1DbXOt/bAi0wabZCjBIcl9LXVG/1Vu9uL?= =?us-ascii?Q?GiA/YGVzdwx3uokLQZlnFO3vIZ/rHZoBI9R8MjPSfUp1ZNpG+WhL8F/i/Ous?= =?us-ascii?Q?GgR4Nx5qUgXlRZwS/WxDjKzcnPEcHGuDV/jlM0JPTLnDKBUX0+drxGi1ZD4j?= =?us-ascii?Q?z/cDfldC8MZ9h35eIfwX9ZPwFptAZ3jdzjKDnzDRsn4a6g+aSkLMXgqjNBP1?= =?us-ascii?Q?WfDUUOyQ56S7xjQe39kLqL/mub3ib2R/p78TctSp+osY7icpKzfR8KsEyisA?= =?us-ascii?Q?OZVt0aI4nY92kgshqhtARiyKyLLwTZRtMKeAyvNvbfpochv3wJegpgWtK1Vj?= =?us-ascii?Q?GWfCKxXlteuPxUrEl0WHtfNRjKvDTfgUWpnpO+68U3JrBhERlRRbyj5iImaB?= =?us-ascii?Q?DPryE85zGtU1YFU6hbVmjM/TY5n9RGC7h/TchLQFG5+3HbuKZmmrrO7aEk0D?= =?us-ascii?Q?Tc+/GSBju2HRB1QAcoTsdD5B44eE3FPxgDIXtRAW0hCproTXpnMfvKChNk0t?= =?us-ascii?Q?oRS/qgQnMZzXvL1iPqkOjcC4M9JVqRV3uoFOkwuaHdbNLrEcPce9mrXfgyko?= =?us-ascii?Q?kh37T92ctMwzBA1FBkbiSsc5h74/0iv2DjAzN5e9HSkC6fe6OPl8lBIf7o04?= =?us-ascii?Q?MdpPTptAcg6feBJBS6fw2mHxXHC5T2ZO7IoabruuryYOWc3Iv4X+rmJLah86?= =?us-ascii?Q?xQ=3D=3D?= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: O7WIAoIVBJKYMpy9rPq8zf/f7OLaKhewwnKp2/D2g7rsTh7mBJENaxK8eGIrXXf3ISB/90DkQupJ2bSgOf0cSdVKhONK9XUwhfcqz7JDv/jMs4mKDu3ggucj6jGNEhpAdKAAtvE0bv0TsaSv1I4b+n0G4K1+JdKWvcQL/K/l8wvCO0vA+ThktB/VtLcurMhdfnfFDnA+JvtaCiuBX/Sf9WXZDowuZo70w6N6GGGyYu8DVpam6FuSJXmcGdwp8NsGkBzlMe2fY0cB9/ffzjohHvlXs/e/AXw+3alMsJBWteJoLhO0P/OUocqt0C62kn+eqpQxuQzVRfyfgWo074ILNbsjwfPo2z2dUjrDGO4OLTFgu66pn1T0qWvv8BSxiBJHxdB+dMlCjMGUFuxb88mN3jdv4iz8Qg7s2A5NwCOezHjBsf68HiHHw1j8qbY2uVnlwf1ZHQiy/lDTGpPhcCWsMXQ2dYZv7sVNTCMj6DY9ksFK9Ucrj8z9jItnOVSPwjIC1BPkKQeUEBTKMPEQKLzWLYWq8jIlgLkyLN3juuPz9zhOGEAzNmnBk8icb7Qtk8uzOMeEGZI0pbqLFc/JnGv9cy319Q7aTLDKl+avULOaFtdBivPX4NTgbKEPoT3lSN3geHbU9PH2JS0lVa8YCCsYv+zWQTZcHaOTcymiZXikcxS3v6ZOlsIXQfmgEtfDKfliippq2jWsKQxe5uJvSgtK9C2hrjipxJor+8pbqYFJQpM= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0da84ebd-b03d-4c10-cf83-08db634dc907 X-MS-Exchange-CrossTenant-AuthSource: BLAPR10MB5138.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Jun 2023 09:43:14.1893 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: T517136Ksoi96AW5OCVieGA50ErNjYygASKx9Zn32EnoTMfAEysso52crGqJdr7ITMx1ghJ2zJP2aA2dGbHQTg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR10MB6837 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-06-02_06,2023-05-31_03,2023-05-22_02 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 phishscore=0 mlxscore=0 malwarescore=0 suspectscore=0 mlxlogscore=999 spamscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2306020072 X-Proofpoint-ORIG-GUID: NBfb8ADazl_rHtPUb79Vr1xRqBH9NWGV X-Proofpoint-GUID: NBfb8ADazl_rHtPUb79Vr1xRqBH9NWGV Received-SPF: pass client-ip=205.220.177.32; envelope-from=darren.kenny@oracle.com; helo=mx0b-00069f02.pphosted.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2023 09:43:30 -0000 Hi Li, In general looks good... On Thursday, 2023-06-01 at 18:50:19 UTC, Lidong Chen wrote: > Implemented a boundary check before advancing the allocation > descriptors pointer. > > Signed-off-by: Lidong Chen > --- > grub-core/fs/udf.c | 36 ++++++++++++++++++++++++++++++++++++ > 1 file changed, 36 insertions(+) > > diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c > index 12e88ab62..2359222eb 100644 > --- a/grub-core/fs/udf.c > +++ b/grub-core/fs/udf.c > @@ -458,6 +458,7 @@ grub_udf_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock) > char *ptr; > grub_ssize_t len; > grub_disk_addr_t filebytes; > + char *end_ptr; > > switch (U16 (node->block.fe.tag.tag_ident)) > { > @@ -476,9 +477,17 @@ grub_udf_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock) > return 0; > } > > + end_ptr = (char *) node + get_fshelp_size (node->data); > + > if ((U16 (node->block.fe.icbtag.flags) & GRUB_UDF_ICBTAG_FLAG_AD_MASK) > == GRUB_UDF_ICBTAG_FLAG_AD_SHORT) > { > + if ((end_ptr - ptr) < (grub_ssize_t) sizeof (struct grub_udf_short_ad)) > Should this probably also be testing ptr < end_ptr? I wonder if a local macro like this would be useful: #define GRUB_UDF_INVALID_STRUCT_PTR(_ptr, _struct) \ ((char *) (_ptr) >= end_ptr || ((grub_ssize_t)(end_ptr - (char*)(_ptr)) < (grub_ssize_t)sizeof(_struct)) or the more positive and succinct version, and subsequent negated (!) test: #define GRUB_UDF_VALID_STRUCT_PTR(_ptr, _struct) \ ((char *)(_ptr) <= (end_ptr - sizeof(_struct))) > + { > + grub_error (GRUB_ERR_BAD_FS, "corrupted UDF file system"); > + return 0; > + } > + > struct grub_udf_short_ad *ad = (struct grub_udf_short_ad *) ptr; > > filebytes = fileblock * U32 (node->data->lvd.bsize); > @@ -528,10 +537,23 @@ grub_udf_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock) > filebytes -= adlen; > ad++; > len -= sizeof (struct grub_udf_short_ad); > + > + if ((char *) ad >= end_ptr || > + (end_ptr - (char *) ad) < (grub_ssize_t) sizeof (struct grub_udf_short_ad)) > + { > + grub_error (GRUB_ERR_BAD_FS, "corrupted UDF file system"); > + return 0; > + } > } > } > else > { > + if ((end_ptr - ptr) < (grub_ssize_t) sizeof (struct grub_udf_long_ad)) > + { > + grub_error (GRUB_ERR_BAD_FS, "corrupted UDF file system"); > + return 0; > + } > + > struct grub_udf_long_ad *ad = (struct grub_udf_long_ad *) ptr; > > filebytes = fileblock * U32 (node->data->lvd.bsize); > @@ -583,6 +605,13 @@ grub_udf_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock) > filebytes -= adlen; > ad++; > len -= sizeof (struct grub_udf_long_ad); > + > + if ((char *) ad >= end_ptr || > + (end_ptr - (char *) ad) < (grub_ssize_t) sizeof (struct grub_udf_long_ad)) > + { > + grub_error (GRUB_ERR_BAD_FS, "corrupted UDF file system"); > + return 0; > + } > } > } > > @@ -602,6 +631,7 @@ grub_udf_read_file (grub_fshelp_node_t node, > case GRUB_UDF_ICBTAG_FLAG_AD_IN_ICB: > { > char *ptr; > + char *end_ptr = (char *) node + get_fshelp_size (node->data); > > ptr = ((U16 (node->block.fe.tag.tag_ident) == GRUB_UDF_TAG_IDENT_FE) ? > ((char *) &node->block.fe.ext_attr[0] > @@ -609,6 +639,12 @@ grub_udf_read_file (grub_fshelp_node_t node, > ((char *) &node->block.efe.ext_attr[0] > + U32 (node->block.efe.ext_attr_length))); > > + if (ptr > end_ptr || (ptr + pos) > end_ptr || (ptr + pos + len) > end_ptr) > Not sure there is a need for all of these, would the last one not suffice? Might be worth testing that pos and len are > 0 if only using that one. Thanks, Darren. > + { > + grub_error (GRUB_ERR_BAD_FS, "corrupted UDF file system"); > + return 0; > + } > + > grub_memcpy (buf, ptr + pos, len); > > return len; > -- > 2.39.1 > > > _______________________________________________ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel