There is no check for the end of block When reading directory extents. It resulted in read_node() always read from the same offset in the while loop, thus caused infinite loop. The fix added a check for the end of the block and ensure the read is within directory boundary.
Signed-off-by: Lidong Chen <lidong.c...@oracle.com> --- grub-core/fs/iso9660.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c index 91817ec1f..4f4cd6165 100644 --- a/grub-core/fs/iso9660.c +++ b/grub-core/fs/iso9660.c @@ -795,6 +795,15 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir, while (dirent.flags & FLAG_MORE_EXTENTS) { offset += dirent.len; + + /* offset should within the dir's len. */ + if (offset > len) + { + if (ctx.filename_alloc) + grub_free (ctx.filename); + return 0; + } + if (read_node (dir, offset, sizeof (dirent), (char *) &dirent)) { if (ctx.filename_alloc) @@ -802,6 +811,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir, grub_free (node); return 0; } + + /* + * It is either the end of block or zero-padded sector, + * skip to the next block. + */ + if (!dirent.len) + { + offset = (offset / GRUB_ISO9660_BLKSZ + 1) * GRUB_ISO9660_BLKSZ; + dirent.flags |= FLAG_MORE_EXTENTS; + continue; + } + if (node->have_dirents >= node->alloc_dirents) { struct grub_fshelp_node *new_node; -- 2.35.1 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel