diff --git a/ChangeLog b/ChangeLog index 2c9dd76b4..25a328a51 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,28 @@ +2012-01-14 Vladimir Serbinenko + + Eliminate grub_min/grub_max prone to overflow usage. + + * grub-core/bus/usb/usbhub.c (grub_usb_add_hub): Eliminate grub_min. + (poll_nonroot_hub): Likewise. + * grub-core/fs/affs.c (grub_affs_iterate_dir): Likewise. + (grub_affs_label): Likewise. + * grub-core/fs/btrfs.c (grub_btrfs_lzo_decompress): Likewise. + * grub-core/fs/hfs.c (grub_hfs_dir): Likewise. + (grub_hfs_label): Likewise. + * grub-core/fs/hfsplus.c (grub_hfsplus_cmp_catkey): Likewise. + * grub-core/fs/zfs/zfs.c (MIN): Remove. + (zap_leaf_array_equal): Use grub_size. Remove MIN. + (zap_leaf_array_get): Likewise. + (dnode_get_path): Likewise. + * grub-core/io/lzopio.c (grub_lzopio_read): Eliminate grub_min. + * grub-core/io/xzio.c (grub_xzio_read): Likewise. + * grub-core/script/execute.c (grub_script_break): Likewise. + * grub-core/script/lexer.c (grub_script_lexer_record): Eliminate + grub_max. + * grub-core/script/yylex.l (grub_lexer_yyrealloc): Likewise. + * include/grub/misc.h (grub_min): Removed. + (grub_max): Likewise. + 2012-01-14 Samuel Thibault * grub-core/fs/ext2.c (grub_ext2_iterate_dir): Ignore entries with diff --git a/grub-core/bus/usb/usbhub.c b/grub-core/bus/usb/usbhub.c index b59f2f51d..a209fe9d6 100644 --- a/grub-core/bus/usb/usbhub.c +++ b/grub-core/bus/usb/usbhub.c @@ -158,11 +158,13 @@ grub_usb_add_hub (grub_usb_device_t dev) if ((endp->endp_addr & 128) && grub_usb_get_ep_type(endp) == GRUB_USB_EP_INTERRUPT) { + grub_size_t len; dev->hub_endpoint = endp; + len = endp->maxpacket; + if (len > sizeof (dev->statuschange)) + len = sizeof (dev->statuschange); dev->hub_transfer - = grub_usb_bulk_read_background (dev, endp->endp_addr, - grub_min (endp->maxpacket, - sizeof (dev->statuschange)), + = grub_usb_bulk_read_background (dev, endp->endp_addr, len, (char *) &dev->statuschange); break; } @@ -314,7 +316,7 @@ poll_nonroot_hub (grub_usb_device_t dev) grub_usb_err_t err; unsigned i; grub_uint8_t changed; - grub_size_t actual; + grub_size_t actual, len; int j, total; if (!dev->hub_transfer) @@ -327,10 +329,11 @@ poll_nonroot_hub (grub_usb_device_t dev) changed = dev->statuschange; + len = dev->hub_endpoint->maxpacket; + if (len > sizeof (dev->statuschange)) + len = sizeof (dev->statuschange); dev->hub_transfer - = grub_usb_bulk_read_background (dev, dev->hub_endpoint->endp_addr, - grub_min (dev->hub_endpoint->maxpacket, - sizeof (dev->statuschange)), + = grub_usb_bulk_read_background (dev, dev->hub_endpoint->endp_addr, len, (char *) &dev->statuschange); if (err || actual == 0 || changed == 0) diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c index cdbf62e34..7c7813729 100644 --- a/grub-core/fs/affs.c +++ b/grub-core/fs/affs.c @@ -305,6 +305,7 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir, { int type; grub_uint8_t name_u8[sizeof (fil->name) * GRUB_MAX_UTF8_PER_LATIN1 + 1]; + grub_size_t len; node = grub_zalloc (sizeof (*node)); if (!node) @@ -327,8 +328,10 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir, node->di = *fil; node->parent = dir; - *grub_latin1_to_utf8 (name_u8, fil->name, - grub_min (fil->namelen, sizeof (fil->name))) = '\0'; + len = fil->namelen; + if (len > sizeof (fil->name)) + len = sizeof (fil->name); + *grub_latin1_to_utf8 (name_u8, fil->name, len) = '\0'; if (hook ((char *) name_u8, type, node)) { @@ -540,7 +543,9 @@ grub_affs_label (grub_device_t device, char **label) if (grub_errno) return 0; - len = grub_min (file.namelen, sizeof (file.name)); + len = file.namelen; + if (len > sizeof (file.name)) + len = sizeof (file.name); *label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1); if (*label) *grub_latin1_to_utf8 ((grub_uint8_t *) *label, file.name, len) = '\0'; diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c index db251ffd7..b877cab63 100644 --- a/grub-core/fs/btrfs.c +++ b/grub-core/fs/btrfs.c @@ -928,13 +928,17 @@ grub_btrfs_lzo_decompress(char *ibuf, grub_size_t isize, grub_off_t off, /* Block partially filled with requested data. */ if (off > 0 || osize < GRUB_BTRFS_LZO_BLOCK_SIZE) { - grub_size_t to_copy = grub_min(osize, GRUB_BTRFS_LZO_BLOCK_SIZE - off); + grub_size_t to_copy = GRUB_BTRFS_LZO_BLOCK_SIZE - off; + + if (to_copy > osize) + to_copy = osize; if (lzo1x_decompress_safe ((lzo_bytep)ibuf, cblock_size, buf, &usize, NULL) != LZO_E_OK) return -1; - to_copy = grub_min(to_copy, usize); + if (to_copy > usize) + to_copy = usize; grub_memcpy(obuf, buf + off, to_copy); osize -= to_copy; diff --git a/grub-core/fs/hfs.c b/grub-core/fs/hfs.c index 8979831b7..6a86e2e7d 100644 --- a/grub-core/fs/hfs.c +++ b/grub-core/fs/hfs.c @@ -1150,10 +1150,14 @@ grub_hfs_dir (grub_device_t device, const char *path, struct grub_hfs_catalog_key *ckey = rec->key; char fname[sizeof (ckey->str) * MAX_UTF8_PER_MAC_ROMAN + 1] = { 0 }; struct grub_dirhook_info info; + grub_size_t len; + grub_memset (&info, 0, sizeof (info)); - macroman_to_utf8 (fname, ckey->str, grub_min (ckey->strlen, - sizeof (ckey->str))); + len = ckey->strlen; + if (len > sizeof (ckey->str)) + len = sizeof (ckey->str); + macroman_to_utf8 (fname, ckey->str, len); info.case_insensitive = 1; @@ -1272,8 +1276,9 @@ grub_hfs_label (grub_device_t device, char **label) if (data) { - grub_size_t len = grub_min (sizeof (data->sblock.volname) - 1, - data->sblock.volname[0]); + grub_size_t len = data->sblock.volname[0]; + if (len > sizeof (data->sblock.volname) - 1) + len = sizeof (data->sblock.volname) - 1; *label = grub_malloc (len * MAX_UTF8_PER_MAC_ROMAN + 1); if (*label) macroman_to_utf8 (*label, data->sblock.volname + 1, diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c index 7e859be41..d1fa15e9f 100644 --- a/grub-core/fs/hfsplus.c +++ b/grub-core/fs/hfsplus.c @@ -520,6 +520,7 @@ grub_hfsplus_cmp_catkey (struct grub_hfsplus_key *keya, struct grub_hfsplus_catkey *catkey_a = &keya->catkey; struct grub_hfsplus_catkey_internal *catkey_b = &keyb->catkey; int diff; + grub_size_t len; /* Safe unsigned comparison */ grub_uint32_t aparent = grub_be_to_cpu32 (catkey_a->parent); @@ -528,10 +529,11 @@ grub_hfsplus_cmp_catkey (struct grub_hfsplus_key *keya, if (aparent < catkey_b->parent) return -1; + len = grub_be_to_cpu16 (catkey_a->namelen); + if (len > catkey_b->namelen) + len = catkey_b->namelen; diff = grub_memcmp (catkey_a->name, catkey_b->name, - grub_min (grub_be_to_cpu16 (catkey_a->namelen), - catkey_b->namelen) - * sizeof (catkey_a->name[0])); + len * sizeof (catkey_a->name[0])); if (diff == 0) diff = grub_be_to_cpu16 (catkey_a->namelen) - catkey_b->namelen; diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c index 782563384..c916bc755 100644 --- a/grub-core/fs/zfs/zfs.c +++ b/grub-core/fs/zfs/zfs.c @@ -58,8 +58,6 @@ GRUB_MOD_LICENSE ("GPLv3+"); #define ZPOOL_PROP_BOOTFS "bootfs" -#define MIN(a,b) (((a) < (b)) ? (a) : (b)) - /* * For nvlist manipulation. (from nvpair.h) */ @@ -1842,18 +1840,21 @@ name_cmp (const char *s1, const char *s2, grub_size_t n, /* XXX */ static int zap_leaf_array_equal (zap_leaf_phys_t * l, grub_zfs_endian_t endian, - int blksft, int chunk, int array_len, const char *buf, - int case_insensitive) + int blksft, int chunk, grub_size_t array_len, + const char *buf, int case_insensitive) { - int bseen = 0; + grub_size_t bseen = 0; while (bseen < array_len) { struct zap_leaf_array *la = &ZAP_LEAF_CHUNK (l, blksft, chunk)->l_array; - int toread = MIN (array_len - bseen, ZAP_LEAF_ARRAY_BYTES); + grub_size_t toread = array_len - bseen; + + if (toread > ZAP_LEAF_ARRAY_BYTES) + toread = ZAP_LEAF_ARRAY_BYTES; if (chunk >= ZAP_LEAF_NUMCHUNKS (blksft)) - return (0); + return 0; if (name_cmp ((char *) la->la_array, buf + bseen, toread, case_insensitive) != 0) @@ -1867,14 +1868,17 @@ zap_leaf_array_equal (zap_leaf_phys_t * l, grub_zfs_endian_t endian, /* XXX */ static grub_err_t zap_leaf_array_get (zap_leaf_phys_t * l, grub_zfs_endian_t endian, int blksft, - int chunk, int array_len, char *buf) + int chunk, grub_size_t array_len, char *buf) { - int bseen = 0; + grub_size_t bseen = 0; while (bseen < array_len) { struct zap_leaf_array *la = &ZAP_LEAF_CHUNK (l, blksft, chunk)->l_array; - int toread = MIN (array_len - bseen, ZAP_LEAF_ARRAY_BYTES); + grub_size_t toread = array_len - bseen; + + if (toread > ZAP_LEAF_ARRAY_BYTES) + toread = ZAP_LEAF_ARRAY_BYTES; if (chunk >= ZAP_LEAF_NUMCHUNKS (blksft)) /* Don't use grub_error because this error is to be ignored. */ @@ -2516,7 +2520,9 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn, if (err) return err; - movesize = MIN (sym_sz - block * blksz, blksz); + movesize = sym_sz - block * blksz; + if (movesize > blksz) + movesize = blksz; grub_memcpy (sym_value + block * blksz, t, movesize); grub_free (t); diff --git a/grub-core/io/lzopio.c b/grub-core/io/lzopio.c index bd6f8e738..e60664478 100644 --- a/grub-core/io/lzopio.c +++ b/grub-core/io/lzopio.c @@ -500,14 +500,16 @@ grub_lzopio_read (grub_file_t file, char *buf, grub_size_t len) while (len != 0 && lzopio->block.usize != 0) { - long to_copy; + grub_size_t to_copy; /* Block not decompressed yet. */ if (!lzopio->block.udata && uncompress_block (lzopio) < 0) goto CORRUPTED; /* Copy requested data into buffer. */ - to_copy = grub_min (lzopio->block.usize - off, len); + to_copy = lzopio->block.usize - off; + if (to_copy > len) + to_copy = len; grub_memcpy (buf, lzopio->block.udata + off, to_copy); len -= to_copy; diff --git a/grub-core/io/xzio.c b/grub-core/io/xzio.c index 1575ca236..c9f648188 100644 --- a/grub-core/io/xzio.c +++ b/grub-core/io/xzio.c @@ -266,9 +266,9 @@ grub_xzio_read (grub_file_t file, char *buf, grub_size_t len) while (len > 0) { - xzio->buf.out_size = grub_min (file->offset + ret + len - current_offset, - XZBUFSIZ); - + xzio->buf.out_size = file->offset + ret + len - current_offset; + if (xzio->buf.out_size > XZBUFSIZ) + xzio->buf.out_size = XZBUFSIZ; /* Feed input. */ if (xzio->buf.in_pos == xzio->buf.in_size) { diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c index 1fb5de6a3..95984fc23 100644 --- a/grub-core/script/execute.c +++ b/grub-core/script/execute.c @@ -82,7 +82,9 @@ grub_script_break (grub_command_t cmd, int argc, char *argv[]) return grub_error (GRUB_ERR_BAD_ARGUMENT, "bad break"); is_continue = grub_strcmp (cmd->name, "break") ? 1 : 0; - active_breaks = grub_min (active_loops, count); + active_breaks = count; + if (active_breaks > active_loops) + active_breaks = active_loops; return GRUB_ERR_NONE; } diff --git a/grub-core/script/lexer.c b/grub-core/script/lexer.c index 53697c734..bf3bb487b 100644 --- a/grub-core/script/lexer.c +++ b/grub-core/script/lexer.c @@ -107,7 +107,9 @@ grub_script_lexer_record (struct grub_parser_param *parser, char *str) if (lexer->recordpos + len + 1 > lexer->recordlen) { old = lexer->recording; - lexer->recordlen = grub_max (len, lexer->recordlen) * 2; + if (lexer->recordlen < len) + lexer->recordlen = len; + lexer->recordlen *= 2; lexer->recording = grub_realloc (lexer->recording, lexer->recordlen); if (!lexer->recording) { diff --git a/grub-core/script/yylex.l b/grub-core/script/yylex.l index 012d88dbc..f0193ead0 100644 --- a/grub-core/script/yylex.l +++ b/grub-core/script/yylex.l @@ -316,14 +316,16 @@ grub_lexer_yyrealloc (void *ptr, yy_size_t size, static void copy_string (struct grub_parser_param *parser, const char *str, unsigned hint) { - int size; + grub_size_t size; char *ptr; unsigned len; len = hint ? hint : grub_strlen (str); if (parser->lexerstate->used + len >= parser->lexerstate->size) { - size = grub_max (len, parser->lexerstate->size) * 2; + size = len * 2; + if (size < parser->lexerstate->size * 2) + size = parser->lexerstate->size * 2; ptr = grub_realloc (parser->lexerstate->text, size); if (!ptr) { diff --git a/include/grub/misc.h b/include/grub/misc.h index e1b13eeba..47607d3e3 100644 --- a/include/grub/misc.h +++ b/include/grub/misc.h @@ -393,24 +393,6 @@ grub_abs (int x) return (unsigned int) x; } -static inline long -grub_min (long x, long y) -{ - if (x < y) - return x; - else - return y; -} - -static inline long -grub_max (long x, long y) -{ - if (x > y) - return x; - else - return y; -} - /* Rounded-up division */ static inline unsigned int grub_div_roundup (unsigned int x, unsigned int y)