From 6f07b921bc5e60fde59fb10cb68896c6124b3335 Mon Sep 17 00:00:00 2001
From: phcoder <phcoder@localhost>
Date: Fri, 28 Aug 2009 16:29:34 +0000
Subject: [PATCH] 2009-08-28  Vladimir Serbinenko  <phcoder@gmail.com>

	* kern/file.c (grub_file_read): Check offset.
	* fs/hfs.c (grub_hfs_read_file): Remove unnecessary offset check.
	* fs/jfs.c (grub_jfs_read_file): Likewise.
	* fs/ntfs.c (grub_ntfs_read): Likewise.
	* fs/reiserfs.c (grub_reiserfs_read): Likewise.
	* fs/minix.c (grub_minix_read_file): Correct offset check.
	* fs/ufs.c (grub_ufs_read_file): Likewise.
---
 ChangeLog     | 10 ++++++++++
 fs/hfs.c      |  4 ----
 fs/jfs.c      |  4 ----
 fs/minix.c    |  4 ++--
 fs/ntfs.c     |  9 ---------
 fs/reiserfs.c |  3 ---
 fs/ufs.c      |  4 ++--
 kern/file.c   |  7 +++++++
 8 files changed, 21 insertions(+), 24 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 1858a9cbb..b657885fe 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2009-08-28  Vladimir Serbinenko  <phcoder@gmail.com>
+
+	* kern/file.c (grub_file_read): Check offset.
+	* fs/hfs.c (grub_hfs_read_file): Remove unnecessary offset check.
+	* fs/jfs.c (grub_jfs_read_file): Likewise.
+	* fs/ntfs.c (grub_ntfs_read): Likewise.
+	* fs/reiserfs.c (grub_reiserfs_read): Likewise.
+	* fs/minix.c (grub_minix_read_file): Correct offset check.
+	* fs/ufs.c (grub_ufs_read_file): Likewise.
+
 2009-08-28  Colin Watson  <cjwatson@ubuntu.com>
 
 	* term/i386/pc/console.c (bios_data_area): Cast
diff --git a/fs/hfs.c b/fs/hfs.c
index 2f0702cbb..5062b5f71 100644
--- a/fs/hfs.c
+++ b/fs/hfs.c
@@ -243,10 +243,6 @@ grub_hfs_read_file (struct grub_hfs_data *data,
   int i;
   int blockcnt;
 
-  /* Adjust len so it we can't read past the end of the file.  */
-  if (len > grub_le_to_cpu32 (data->size))
-    len = grub_le_to_cpu32 (data->size);
-
   blockcnt = ((len + pos)
 	      + data->blksz - 1) / data->blksz;
 
diff --git a/fs/jfs.c b/fs/jfs.c
index 51ca91ad0..b73f9bdd4 100644
--- a/fs/jfs.c
+++ b/fs/jfs.c
@@ -544,10 +544,6 @@ grub_jfs_read_file (struct grub_jfs_data *data,
   int i;
   int blockcnt;
 
-  /* Adjust len so it we can't read past the end of the file.  */
-  if (len > data->currinode.size)
-    len = data->currinode.size;
-
   blockcnt = ((len + pos + grub_le_to_cpu32 (data->sblock.blksz) - 1)
 	      / grub_le_to_cpu32 (data->sblock.blksz));
 
diff --git a/fs/minix.c b/fs/minix.c
index 44218fb89..08eb60729 100644
--- a/fs/minix.c
+++ b/fs/minix.c
@@ -193,8 +193,8 @@ grub_minix_read_file (struct grub_minix_data *data,
   int blockcnt;
 
   /* Adjust len so it we can't read past the end of the file.  */
-  if (len > GRUB_MINIX_INODE_SIZE (data))
-    len = GRUB_MINIX_INODE_SIZE (data);
+  if (len + pos > GRUB_MINIX_INODE_SIZE (data))
+    len = GRUB_MINIX_INODE_SIZE (data) - pos;
 
   blockcnt = (len + pos + GRUB_MINIX_BSIZE - 1) / GRUB_MINIX_BSIZE;
 
diff --git a/fs/ntfs.c b/fs/ntfs.c
index d03a94016..3ff487c6e 100644
--- a/fs/ntfs.c
+++ b/fs/ntfs.c
@@ -970,15 +970,6 @@ grub_ntfs_read (grub_file_t file, char *buf, grub_size_t len)
   if (file->read_hook)
     mft->attr.save_pos = 1;
 
-  if (file->offset > file->size)
-    {
-      grub_error (GRUB_ERR_BAD_FS, "Bad offset");
-      return -1;
-    }
-
-  if (file->offset + len > file->size)
-    len = file->size - file->offset;
-
   read_attr (&mft->attr, buf, file->offset, len, 1, file->read_hook);
   return (grub_errno) ? 0 : len;
 }
diff --git a/fs/reiserfs.c b/fs/reiserfs.c
index 04d33150f..fb4f1bc59 100644
--- a/fs/reiserfs.c
+++ b/fs/reiserfs.c
@@ -1077,9 +1077,6 @@ grub_reiserfs_read (grub_file_t file, char *buf, grub_size_t len)
   grub_disk_addr_t block;
   grub_off_t offset;
 
-  if (file->offset >= file->size)
-    return 0;
-
   key.directory_id = node->header.key.directory_id;
   key.object_id = node->header.key.object_id;
   key.u.v2.offset_type = 0;
diff --git a/fs/ufs.c b/fs/ufs.c
index 797a45d13..c94ad9922 100644
--- a/fs/ufs.c
+++ b/fs/ufs.c
@@ -290,8 +290,8 @@ grub_ufs_read_file (struct grub_ufs_data *data,
   int blockcnt;
 
   /* Adjust len so it we can't read past the end of the file.  */
-  if (len > INODE_SIZE (data))
-    len = INODE_SIZE (data);
+  if (len + pos > INODE_SIZE (data))
+    len = INODE_SIZE (data) - pos;
 
   blockcnt = (len + pos + UFS_BLKSZ (sblock) - 1) / UFS_BLKSZ (sblock);
 
diff --git a/kern/file.c b/kern/file.c
index 9b56b88e4..22f2f6093 100644
--- a/kern/file.c
+++ b/kern/file.c
@@ -112,6 +112,13 @@ grub_file_read (grub_file_t file, void *buf, grub_size_t len)
 {
   grub_ssize_t res;
 
+  if (file->offset > file->size)
+    {
+      grub_error (GRUB_ERR_OUT_OF_RANGE,
+		  "Attempt to read pat the end of file.");
+      return -1;
+    }
+
   if (len == 0 || len > file->size - file->offset)
     len = file->size - file->offset;