On Fri, Oct 17, 2025 at 05:23:48PM -0600, Logan Gunthorpe via Grub-devel wrote:
> Hi Daniel,
>
> On 2025-10-15 09:52, Daniel Kiper wrote:
> > On Tue, Oct 14, 2025 at 02:14:18PM -0600, Logan Gunthorpe via Grub-devel
> > wrote:
> >> + while (len > 0)
> >> + {
> >> + zstdio->output.size = file->offset + ret + len - current_offset;
> >
> > Is there any chance for overflow here? If yes then please use safe math
> > from include/grub/safemath.h.
>
> My read is that unless we are dealing with files greater than the two
> offsets are 64bits and unlikely to ever see a file that doesn't fit.
First of all, please remember that the GRUB can be compiled for 32-bit
targets. So, zstdio->output.size can be 32-bit...
> len is going to be the size of a memory buffer and ret is going to be
> less than or equal to ret. So it doesn't seem like an overflow is possible.
I think you meant "less than or equal to len"...
> >> + grub_size_t delta = new_offset - (file->offset + ret);
> >> + grub_memmove (buf, (grub_uint8_t *) zstdio->output.dst +
> >> + (zstdio->output.pos - delta),
> >
> > Safe math? In general please check all math in this patch and use safe
> > math macros where needed.
>
> output.pos must be less than outsize which is defined by
> ZSTD_DStreamOutSize () and will be much less than even a 32bit type.
>
> delta is by definition less than pos.
>
> (new_offset - file->offset) must be less than len.
>
> This code is very similar to code in xzio.c and did not need any safe
> math functions.
IIRC it predates safe math and it may not be (fully) correct..
> Please let me know if you disagree, otherwise I'll send a new version
> next week.
I am not saying I disagree. I rather have some reservations. However, if
you convince me it is not possible or it is very difficult to blow up
this code using malformed zstd archives than I am OK with it.
Daniel
PS I am going to cut GRUB 2.14~rc1 in second half of the week. So, it
would be nice to have these patches before that...
_______________________________________________
Grub-devel mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/grub-devel
