Eliminate grub_min/grub_max prone to overflow usage.

* grub-core/bus/usb/usbhub.c (grub_usb_add_hub): Eliminate grub_min. (poll_nonroot_hub): Likewise. * grub-core/fs/affs.c (grub_affs_iterate_dir): Likewise. (grub_affs_label): Likewise. * grub-core/fs/btrfs.c (grub_btrfs_lzo_decompress): Likewise. * grub-core/fs/hfs.c (grub_hfs_dir): Likewise. (grub_hfs_label): Likewise. * grub-core/fs/hfsplus.c (grub_hfsplus_cmp_catkey): Likewise. * grub-core/fs/zfs/zfs.c (MIN): Remove. (zap_leaf_array_equal): Use grub_size. Remove MIN. (zap_leaf_array_get): Likewise. (dnode_get_path): Likewise. * grub-core/io/lzopio.c (grub_lzopio_read): Eliminate grub_min. * grub-core/io/xzio.c (grub_xzio_read): Likewise. * grub-core/script/execute.c (grub_script_break): Likewise. * grub-core/script/lexer.c (grub_script_lexer_record): Eliminate grub_max. * grub-core/script/yylex.l (grub_lexer_yyrealloc): Likewise. * include/grub/misc.h (grub_min): Removed. (grub_max): Likewise.
2012-01-14 15:44:34 +01:00 · 2012-01-14 15:44:34 +01:00 · 9c2710789f
commit 9c2710789f
parent 80662dbc5d
13 changed files with 97 additions and 57 deletions
--- a/grub-core/fs/affs.c
+++ b/grub-core/fs/affs.c
@ -305,6 +305,7 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
    {
      int type;
      grub_uint8_t name_u8[sizeof (fil->name) * GRUB_MAX_UTF8_PER_LATIN1 + 1];
+      grub_size_t len;

      node = grub_zalloc (sizeof (*node));
      if (!node)
@ -327,8 +328,10 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
      node->di = *fil;
      node->parent = dir;

-      *grub_latin1_to_utf8 (name_u8, fil->name,
-			    grub_min (fil->namelen, sizeof (fil->name))) = '\0';
+      len = fil->namelen;
+      if (len > sizeof (fil->name))
+	len = sizeof (fil->name);
+      *grub_latin1_to_utf8 (name_u8, fil->name, len) = '\0';
      
      if (hook ((char *) name_u8, type, node))
 	{
@ -540,7 +543,9 @@ grub_affs_label (grub_device_t device, char **label)
      if (grub_errno)
 	return 0;

-      len = grub_min (file.namelen, sizeof (file.name));
+      len = file.namelen;
+      if (len > sizeof (file.name))
+	len = sizeof (file.name);
      *label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
      if (*label)
 	*grub_latin1_to_utf8 ((grub_uint8_t *) *label, file.name, len) = '\0';
--- a/grub-core/fs/btrfs.c
+++ b/grub-core/fs/btrfs.c
@ -928,13 +928,17 @@ grub_btrfs_lzo_decompress(char *ibuf, grub_size_t isize, grub_off_t off,
      /* Block partially filled with requested data.  */
      if (off > 0 || osize < GRUB_BTRFS_LZO_BLOCK_SIZE)
 	{
-	  grub_size_t to_copy = grub_min(osize, GRUB_BTRFS_LZO_BLOCK_SIZE - off);
+	  grub_size_t to_copy = GRUB_BTRFS_LZO_BLOCK_SIZE - off;
+
+	  if (to_copy > osize)
+	    to_copy = osize;

 	  if (lzo1x_decompress_safe ((lzo_bytep)ibuf, cblock_size, buf, &usize,
 	      NULL) != LZO_E_OK)
 	    return -1;

-	  to_copy = grub_min(to_copy, usize);
+	  if (to_copy > usize)
+	    to_copy = usize;
 	  grub_memcpy(obuf, buf + off, to_copy);

 	  osize -= to_copy;
--- a/grub-core/fs/hfs.c
+++ b/grub-core/fs/hfs.c
@ -1150,10 +1150,14 @@ grub_hfs_dir (grub_device_t device, const char *path,
      struct grub_hfs_catalog_key *ckey = rec->key;
      char fname[sizeof (ckey->str) * MAX_UTF8_PER_MAC_ROMAN + 1] = { 0 };
      struct grub_dirhook_info info;
+      grub_size_t len;
+
      grub_memset (&info, 0, sizeof (info));

-      macroman_to_utf8 (fname, ckey->str, grub_min (ckey->strlen,
-						    sizeof (ckey->str)));
+      len = ckey->strlen;
+      if (len > sizeof (ckey->str))
+	len = sizeof (ckey->str);
+      macroman_to_utf8 (fname, ckey->str, len);

      info.case_insensitive = 1;

@ -1272,8 +1276,9 @@ grub_hfs_label (grub_device_t device, char **label)

  if (data)
    {
-      grub_size_t len = grub_min (sizeof (data->sblock.volname) - 1,
-				  data->sblock.volname[0]);
+      grub_size_t len = data->sblock.volname[0];
+      if (len > sizeof (data->sblock.volname) - 1)
+	len = sizeof (data->sblock.volname) - 1;
      *label = grub_malloc (len * MAX_UTF8_PER_MAC_ROMAN + 1);
      if (*label)
 	macroman_to_utf8 (*label, data->sblock.volname + 1,
--- a/grub-core/fs/hfsplus.c
+++ b/grub-core/fs/hfsplus.c
@ -520,6 +520,7 @@ grub_hfsplus_cmp_catkey (struct grub_hfsplus_key *keya,
  struct grub_hfsplus_catkey *catkey_a = &keya->catkey;
  struct grub_hfsplus_catkey_internal *catkey_b = &keyb->catkey;
  int diff;
+  grub_size_t len;

  /* Safe unsigned comparison */
  grub_uint32_t aparent = grub_be_to_cpu32 (catkey_a->parent);
@ -528,10 +529,11 @@ grub_hfsplus_cmp_catkey (struct grub_hfsplus_key *keya,
  if (aparent < catkey_b->parent)
    return -1;

+  len = grub_be_to_cpu16 (catkey_a->namelen);
+  if (len > catkey_b->namelen)
+    len = catkey_b->namelen;
  diff = grub_memcmp (catkey_a->name, catkey_b->name,
-		      grub_min (grub_be_to_cpu16 (catkey_a->namelen),
-				catkey_b->namelen)
-		      * sizeof (catkey_a->name[0]));
+		      len * sizeof (catkey_a->name[0]));
  if (diff == 0)
    diff = grub_be_to_cpu16 (catkey_a->namelen) - catkey_b->namelen;

--- a/grub-core/fs/zfs/zfs.c
+++ b/grub-core/fs/zfs/zfs.c
@ -58,8 +58,6 @@ GRUB_MOD_LICENSE ("GPLv3+");

 #define	ZPOOL_PROP_BOOTFS		"bootfs"

-#define MIN(a,b) (((a) < (b)) ? (a) : (b))
-
 /*
 * For nvlist manipulation. (from nvpair.h)
 */
@ -1842,18 +1840,21 @@ name_cmp (const char *s1, const char *s2, grub_size_t n,
 /* XXX */
 static int
 zap_leaf_array_equal (zap_leaf_phys_t * l, grub_zfs_endian_t endian,
-		      int blksft, int chunk, int array_len, const char *buf,
-		      int case_insensitive)
+		      int blksft, int chunk, grub_size_t array_len,
+		      const char *buf, int case_insensitive)
 {
-  int bseen = 0;
+  grub_size_t bseen = 0;

  while (bseen < array_len)
    {
      struct zap_leaf_array *la = &ZAP_LEAF_CHUNK (l, blksft, chunk)->l_array;
-      int toread = MIN (array_len - bseen, ZAP_LEAF_ARRAY_BYTES);
+      grub_size_t toread = array_len - bseen;
+
+      if (toread > ZAP_LEAF_ARRAY_BYTES)
+	toread = ZAP_LEAF_ARRAY_BYTES;

      if (chunk >= ZAP_LEAF_NUMCHUNKS (blksft))
-	return (0);
+	return 0;

      if (name_cmp ((char *) la->la_array, buf + bseen, toread,
 		    case_insensitive) != 0)
@ -1867,14 +1868,17 @@ zap_leaf_array_equal (zap_leaf_phys_t * l, grub_zfs_endian_t endian,
 /* XXX */
 static grub_err_t
 zap_leaf_array_get (zap_leaf_phys_t * l, grub_zfs_endian_t endian, int blksft, 
-		    int chunk, int array_len, char *buf)
+		    int chunk, grub_size_t array_len, char *buf)
 {
-  int bseen = 0;
+  grub_size_t bseen = 0;

  while (bseen < array_len)
    {
      struct zap_leaf_array *la = &ZAP_LEAF_CHUNK (l, blksft, chunk)->l_array;
-      int toread = MIN (array_len - bseen, ZAP_LEAF_ARRAY_BYTES);
+      grub_size_t toread = array_len - bseen;
+
+      if (toread > ZAP_LEAF_ARRAY_BYTES)
+	toread = ZAP_LEAF_ARRAY_BYTES;

      if (chunk >= ZAP_LEAF_NUMCHUNKS (blksft))
 	/* Don't use grub_error because this error is to be ignored.  */
@ -2516,7 +2520,9 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
 		  if (err)
 		    return err;

-		  movesize = MIN (sym_sz - block * blksz, blksz);
+		  movesize = sym_sz - block * blksz;
+		  if (movesize > blksz)
+		    movesize = blksz;

 		  grub_memcpy (sym_value + block * blksz, t, movesize);
 		  grub_free (t);