normal/menu: Use safe math to avoid an integer overflow

The Coverity indicates that the variable current_entry might overflow.
To prevent this use safe math when adding GRUB_MENU_PAGE_SIZE to current_entry.

On the occasion fix limiting condition which was broken.

Fixes: CID 473853
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gbp-Pq: Topic cve-2025-jan
Gbp-Pq: Name normal-menu-Use-safe-math-to-avoid-an-integer-overflow.patch

diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c
index 7958bc8a4e81cd1007b0cb8e07af8ca51b39da0c..0d29e24278a32c8a5f8d1012f7fcd46f5fc67405 100644 (file)
--- a/grub-core/normal/menu.c
+++ b/grub-core/normal/menu.c
@@ -32,6 +32,7 @@
 #include <grub/script_sh.h>
 #include <grub/gfxterm.h>
 #include <grub/dl.h>
+#include <grub/safemath.h>
 
 /* Time to delay after displaying an error message about a default/fallback
    entry failing to boot.  */
@@ -775,9 +776,7 @@ run_menu (grub_menu_t menu, int nested, int *auto_boot, int *notify_boot)
 
            case GRUB_TERM_CTRL | 'c':
            case GRUB_TERM_KEY_NPAGE:
-             if (current_entry + GRUB_MENU_PAGE_SIZE < menu->size)
-               current_entry += GRUB_MENU_PAGE_SIZE;
-             else
+             if (grub_add (current_entry, GRUB_MENU_PAGE_SIZE, &current_entry) || current_entry >= menu->size)
                current_entry = menu->size - 1;
              menu_set_chosen_entry (current_entry);
              break;