normal/charset: Fix underflow and overflow in loop init

In bidi_line_wrap(), "kk - 1" in the for loop init, "i = kk - 1",
underflows when "kk" (unsigned int) is 0. Assigning the result of
"kk - 1" to signed int "i" may cause overflow. To address both
issues, cast "kk" to a signed type before subtraction to ensure
safe arithmetic and assignment.

Fixed: CID 473874

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>

diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
index 4f6647116bafa2d2e227f960edab6aa28819b914..a321c8438885817f3651e4a51b896e6870eef36f 100644 (file)
--- a/grub-core/normal/charset.c
+++ b/grub-core/normal/charset.c
@@ -738,7 +738,7 @@ bidi_line_wrap (struct grub_unicode_glyph *visual_out,
          {
            int right_join = 0;
            signed i;
-           for (i = kk - 1; i >= 0 && (unsigned) i + 1 > line_start;
+           for (i = (signed) kk - 1; i >= 0 && (unsigned) i + 1 > line_start;
                 i--)
              {
                enum grub_join_type join_type = get_join_type (visual[i].base);