On Thu, Jun 05, 2025 at 05:03:19AM +0000, Lidong Chen wrote:
> The potential overflow issue arises at "size += ret;" because 'size'
> is of type ssize_t (signed) while 'len' is size_t (unsigned). Repeatedly
> adding read sizes ('ret') to 'size' can potentially exceed the maximum
> value of ssize_t, causing it to overflow into a negative or incorrect value.
> The fix is to ensure 'len' is within the range of GRUB_SSIZE_MAX.
>
> Fixes: CID 473850
> Fixes: CID 473863
>
> Signed-off-by: Lidong Chen <lidong.c...@oracle.com>Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com> Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
