From: Lidong Chen <lidong.chen@oracle.com>
Date: Wed, 18 Jun 2025 19:24:23 +0000 (+0000)
Subject: normal/charset: Fix underflow and overflow in loop init
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8c2d4e64ffe86f46d7f9cd8d4837d5e012a661c6;p=thirdparty%2Fgrub.git

normal/charset: Fix underflow and overflow in loop init

In bidi_line_wrap(), "kk - 1" in the for loop init, "i = kk - 1",
underflows when "kk" (unsigned int) is 0. Assigning the result of
"kk - 1" to signed int "i" may cause overflow. To address both
issues, cast "kk" to a signed type before subtraction to ensure
safe arithmetic and assignment.

Fixed: CID 473874

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
---

diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
index 4f6647116..a321c8438 100644
--- a/grub-core/normal/charset.c
+++ b/grub-core/normal/charset.c
@@ -738,7 +738,7 @@ bidi_line_wrap (struct grub_unicode_glyph *visual_out,
 	  {
 	    int right_join = 0;
 	    signed i;
-	    for (i = kk - 1; i >= 0 && (unsigned) i + 1 > line_start;
+	    for (i = (signed) kk - 1; i >= 0 && (unsigned) i + 1 > line_start;
 		 i--)
 	      {
 		enum grub_join_type join_type = get_join_type (visual[i].base);