Reporter: [EMAIL PROTECTED]
Summary: Possible buffer overflow when loading image
Version: grub 0.93
Type: software bug
Message:
In stage2/boot.c, load_image() we determine the data_len
and then try to populate the already read data from "buffer"
into "linux_data_tmp_addr". If the "data_len" is between
(8192-512) and (8192) bytes we will memmove bytes from
beyond the end of "buffer".
--- boot.c 2003-03-11 23:43:25.000000000 -0800
+++ /tmp/boot.c2 2003-03-11 23:53:06.000000000 -0800
@@ -375,7 +375,7 @@
/* It is possible that DATA_LEN is greater than MULTIBOOT_SEARCH,
so the data may have been read partially. */
- if (data_len <= MULTIBOOT_SEARCH)
+ if ((data_len + SECTOR_SIZE) <= MULTIBOOT_SEARCH)
grub_memmove (linux_data_tmp_addr, buffer,
data_len + SECTOR_SIZE);
else
----
Please send followups to <[EMAIL PROTECTED]>.
_______________________________________________
Bug-grub mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/bug-grub
