On Thu, Jun 05, 2025 at 05:03:19AM +0000, Lidong Chen wrote:
> The potential overflow issue arises at "size += ret;" because 'size'
> is of type ssize_t (signed) while 'len' is size_t (unsigned). Repeatedly
> adding read sizes ('ret') to 'size' can potentially exceed the maximum
> value of ssize_t, causing it to overflow into a negative or incorrect value.
> The fix is to ensure 'len' is within the range of GRUB_SSIZE_MAX.
>
> Fixes: CID 473850
> Fixes: CID 473863
>
> Signed-off-by: Lidong Chen <[email protected]>Reviewed-by: Daniel Kiper <[email protected]> Daniel _______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
