osdep/unix/hostdisk: Fix signed integer overflow

The potential overflow issue arises at "size += ret;" because "size"
is of type ssize_t (signed) while "len" is size_t (unsigned). Repeatedly
adding read sizes, "ret", to "size" can potentially exceed the maximum
value of ssize_t, causing it to overflow into a negative or incorrect value.
The fix is to ensure "len" is within the range of SSIZE_MAX.

Fixes: CID 473850
Fixes: CID 473863
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/osdep/unix/hostdisk.c b/grub-core/osdep/unix/hostdisk.c
index 3a00d7451a5ea2a43303d5ea09f24c487f548833..353db01f6bd065fc995ac893b8e45f28648287e4 100644 (file)
--- a/grub-core/osdep/unix/hostdisk.c
+++ b/grub-core/osdep/unix/hostdisk.c
@@ -101,6 +101,9 @@ grub_util_fd_read (grub_util_fd_t fd, char *buf, size_t len)
 {
   ssize_t size = 0;
 
+  if (len > SSIZE_MAX)
+    return -1;
+
   while (len)
     {
       ssize_t ret = read (fd, buf, len);
@@ -131,6 +134,9 @@ grub_util_fd_write (grub_util_fd_t fd, const char *buf, size_t len)
 {
   ssize_t size = 0;
 
+  if (len > SSIZE_MAX)
+    return -1;
+
   while (len)
     {
       ssize_t ret = write (fd, buf, len);