From: Lidong Chen Date: Fri, 20 Jan 2023 19:39:38 +0000 (+0000) Subject: fs/iso9660: Add check to prevent infinite loop X-Git-Tag: grub-2.12-rc1~147 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4e0bab34ece7b757a1b96be59ba54a009a5cc354;p=thirdparty%2Fgrub.git fs/iso9660: Add check to prevent infinite loop There is no check for the end of block when reading directory extents. It resulted in read_node() always read from the same offset in the while loop, thus caused infinite loop. The fix added a check for the end of the block and ensure the read is within directory boundary. Signed-off-by: Lidong Chen Reviewed-by: Thomas Schmitt Reviewed-by: Daniel Kiper --- diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c index df9f7783b..24d84a56d 100644 --- a/grub-core/fs/iso9660.c +++ b/grub-core/fs/iso9660.c @@ -801,6 +801,16 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir, while (dirent.flags & FLAG_MORE_EXTENTS) { offset += dirent.len; + + /* offset should within the dir's len. */ + if (offset > len) + { + if (ctx.filename_alloc) + grub_free (ctx.filename); + grub_free (node); + return 0; + } + if (read_node (dir, offset, sizeof (dirent), (char *) &dirent)) { if (ctx.filename_alloc) @@ -808,6 +818,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir, grub_free (node); return 0; } + + /* + * It is either the end of block or zero-padded sector, + * skip to the next block. + */ + if (!dirent.len) + { + offset = (offset / GRUB_ISO9660_BLKSZ + 1) * GRUB_ISO9660_BLKSZ; + dirent.flags |= FLAG_MORE_EXTENTS; + continue; + } + if (node->have_dirents >= node->alloc_dirents) { struct grub_fshelp_node *new_node;