2009-08-28 Vladimir Serbinenko <phcoder@gmail.com>

* kern/file.c (grub_file_read): Check offset.
	* fs/hfs.c (grub_hfs_read_file): Remove unnecessary offset check.
	* fs/jfs.c (grub_jfs_read_file): Likewise.
	* fs/ntfs.c (grub_ntfs_read): Likewise.
	* fs/reiserfs.c (grub_reiserfs_read): Likewise.
	* fs/minix.c (grub_minix_read_file): Correct offset check.
	* fs/ufs.c (grub_ufs_read_file): Likewise.

ChangeLog

@@ -1,3 +1,13 @@
+2009-08-28  Vladimir Serbinenko  <phcoder@gmail.com>
+
+	* kern/file.c (grub_file_read): Check offset.
+	* fs/hfs.c (grub_hfs_read_file): Remove unnecessary offset check.
+	* fs/jfs.c (grub_jfs_read_file): Likewise.
+	* fs/ntfs.c (grub_ntfs_read): Likewise.
+	* fs/reiserfs.c (grub_reiserfs_read): Likewise.
+	* fs/minix.c (grub_minix_read_file): Correct offset check.
+	* fs/ufs.c (grub_ufs_read_file): Likewise.
+
 2009-08-28  Colin Watson  <cjwatson@ubuntu.com>
 
 	* term/i386/pc/console.c (bios_data_area): Cast

fs/hfs.c

@@ -243,10 +243,6 @@ grub_hfs_read_file (struct grub_hfs_data *data,
   int i;
   int blockcnt;
 
-  /* Adjust len so it we can't read past the end of the file.  */
-  if (len > grub_le_to_cpu32 (data->size))
-    len = grub_le_to_cpu32 (data->size);
-
   blockcnt = ((len + pos)
 	      + data->blksz - 1) / data->blksz;
 

fs/jfs.c

@@ -544,10 +544,6 @@ grub_jfs_read_file (struct grub_jfs_data *data,
   int i;
   int blockcnt;
 
-  /* Adjust len so it we can't read past the end of the file.  */
-  if (len > data->currinode.size)
-    len = data->currinode.size;
-
   blockcnt = ((len + pos + grub_le_to_cpu32 (data->sblock.blksz) - 1)
 	      / grub_le_to_cpu32 (data->sblock.blksz));
 

fs/minix.c

@@ -193,8 +193,8 @@ grub_minix_read_file (struct grub_minix_data *data,
   int blockcnt;
 
   /* Adjust len so it we can't read past the end of the file.  */
-  if (len > GRUB_MINIX_INODE_SIZE (data))
-    len = GRUB_MINIX_INODE_SIZE (data);
+  if (len + pos > GRUB_MINIX_INODE_SIZE (data))
+    len = GRUB_MINIX_INODE_SIZE (data) - pos;
 
   blockcnt = (len + pos + GRUB_MINIX_BSIZE - 1) / GRUB_MINIX_BSIZE;
 

fs/ntfs.c

@@ -970,15 +970,6 @@ grub_ntfs_read (grub_file_t file, char *buf, grub_size_t len)
   if (file->read_hook)
     mft->attr.save_pos = 1;
 
-  if (file->offset > file->size)
-    {
-      grub_error (GRUB_ERR_BAD_FS, "Bad offset");
-      return -1;
-    }
-
-  if (file->offset + len > file->size)
-    len = file->size - file->offset;
-
   read_attr (&mft->attr, buf, file->offset, len, 1, file->read_hook);
   return (grub_errno) ? 0 : len;
 }

fs/reiserfs.c

@@ -1077,9 +1077,6 @@ grub_reiserfs_read (grub_file_t file, char *buf, grub_size_t len)
   grub_disk_addr_t block;
   grub_off_t offset;
 
-  if (file->offset >= file->size)
-    return 0;
-
   key.directory_id = node->header.key.directory_id;
   key.object_id = node->header.key.object_id;
   key.u.v2.offset_type = 0;

fs/ufs.c

@@ -290,8 +290,8 @@ grub_ufs_read_file (struct grub_ufs_data *data,
   int blockcnt;
 
   /* Adjust len so it we can't read past the end of the file.  */
-  if (len > INODE_SIZE (data))
-    len = INODE_SIZE (data);
+  if (len + pos > INODE_SIZE (data))
+    len = INODE_SIZE (data) - pos;
 
   blockcnt = (len + pos + UFS_BLKSZ (sblock) - 1) / UFS_BLKSZ (sblock);
 

kern/file.c

@@ -112,6 +112,13 @@ grub_file_read (grub_file_t file, void *buf, grub_size_t len)
 {
   grub_ssize_t res;
 
+  if (file->offset > file->size)
+    {
+      grub_error (GRUB_ERR_OUT_OF_RANGE,
+		  "Attempt to read pat the end of file.");
+      return -1;
+    }
+
   if (len == 0 || len > file->size - file->offset)
     len = file->size - file->offset;