From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 19 Oct 2018 10:57:52 -0400
Subject: [PATCH] Fix menu entry selection based on ID and title
Currently if grub_strtoul(saved_entry_value, NULL, 0) does not return an
error, we assume the value it has produced is a correct index into our
menu entry list, and do not try to interpret the value as the "id" or
"title" . In cases where "id" or "title" start with a numeral, this
makes them impossible to use as selection criteria.
This patch splits the search into three phases - matching id, matching
title, and only once those have been exhausted, trying to interpret the
ID as a numeral. In that case, we also require that the entire string
is numeric, not merely a string with leading numeric characters.
Resolves: rhbz#1640979
---
grub-core/normal/menu.c | 146 +++++++++++++++++++++++++-----------------------
1 file changed, 75 insertions(+), 71 deletions(-)
diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c
index 6cb2a0714..95f7abaf2 100644
--- a/grub-core/normal/menu.c
+++ b/grub-core/normal/menu.c
@@ -164,12 +164,12 @@ grub_menu_set_timeout (int timeout)
}
static int
-menuentry_eq (const char *id, const char *spec)
+menuentry_eq (const char *id, const char *spec, int limit)
{
const char *ptr1, *ptr2;
ptr1 = id;
ptr2 = spec;
- while (1)
+ while (limit == -1 || ptr1 - id <= limit)
{
if (*ptr2 == '>' && ptr2[1] != '>' && *ptr1 == 0)
return ptr2 - spec;
@@ -178,7 +178,11 @@ menuentry_eq (const char *id, const char *spec)
if (*ptr2 == '>')
ptr2++;
if (*ptr1 != *ptr2)
- return 0;
+ {
+ if (limit > -1 && ptr1 - id == limit && !*ptr1 && grub_isspace(*ptr2))
+ return ptr1 -id -1;
+ return 0;
+ }
if (*ptr1 == 0)
return ptr1 - id;
ptr1++;
@@ -187,6 +191,61 @@ menuentry_eq (const char *id, const char *spec)
return 0;
}
+static int
+get_entry_number_helper(grub_menu_t menu,
+ const char * const val, const char ** const tail)
+{
+ /* See if the variable matches the title of a menu entry. */
+ int entry = -1;
+ grub_menu_entry_t e;
+ int i;
+
+ for (i = 0, e = menu->entry_list; e; i++)
+ {
+ int l = 0;
+ while (val[l] && !grub_isspace(val[l]))
+ l++;
+
+ if (menuentry_eq (e->id, val, l))
+ {
+ if (tail)
+ *tail = val + l;
+ return i;
+ }
+ e = e->next;
+ }
+
+ for (i = 0, e = menu->entry_list; e; i++)
+ {
+ int l = 0;
+ while (val[l] && !grub_isspace(val[l]))
+ l++;
+
+ if (menuentry_eq (e->title, val, l))
+ {
+ if (tail)
+ *tail = val + l;
+ return i;
+ }
+ e = e->next;
+ }
+
+ if (tail)
+ *tail = NULL;
+
+ entry = (int) grub_strtoul (val, tail, 0);
+ if (grub_errno == GRUB_ERR_BAD_NUMBER ||
+ (*tail && **tail && !grub_isspace(**tail)))
+ {
+ entry = -1;
+ if (tail)
+ *tail = NULL;
+ grub_errno = GRUB_ERR_NONE;
+ }
+
+ return entry;
+}
+
/* Get the first entry number from the value of the environment variable NAME,
which is a space-separated list of non-negative integers. The entry number
which is returned is stripped from the value of NAME. If no entry number
@@ -195,9 +254,8 @@ static int
get_and_remove_first_entry_number (grub_menu_t menu, const char *name)
{
const char *val;
- char *tail;
+ const char *tail;
int entry;
- int sz = 0;
val = grub_env_get (name);
if (! val)
@@ -205,50 +263,24 @@ get_and_remove_first_entry_number (grub_menu_t menu, const char *name)
grub_error_push ();
- entry = (int) grub_strtoul (val, &tail, 0);
+ entry = get_entry_number_helper(menu, val, &tail);
+ if (!(*tail == 0 || grub_isspace(*tail)))
+ entry = -1;
- if (grub_errno == GRUB_ERR_BAD_NUMBER)
+ if (entry >= 0)
{
- /* See if the variable matches the title of a menu entry. */
- grub_menu_entry_t e = menu->entry_list;
- int i;
-
- for (i = 0; e; i++)
- {
- sz = menuentry_eq (e->title, val);
- if (sz < 1)
- sz = menuentry_eq (e->id, val);
-
- if (sz >= 1)
- {
- entry = i;
- break;
- }
- e = e->next;
- }
-
- if (sz > 0)
- grub_errno = GRUB_ERR_NONE;
-
- if (! e)
- entry = -1;
- }
-
- if (grub_errno == GRUB_ERR_NONE)
- {
- if (sz > 0)
- tail += sz;
-
/* Skip whitespace to find the next entry. */
while (*tail && grub_isspace (*tail))
tail++;
- grub_env_set (name, tail);
+ if (*tail)
+ grub_env_set (name, tail);
+ else
+ grub_env_unset (name);
}
else
{
grub_env_unset (name);
grub_errno = GRUB_ERR_NONE;
- entry = -1;
}
grub_error_pop ();
@@ -525,6 +557,7 @@ static int
get_entry_number (grub_menu_t menu, const char *name)
{
const char *val;
+ const char *tail;
int entry;
val = grub_env_get (name);
@@ -532,38 +565,9 @@ get_entry_number (grub_menu_t menu, const char *name)
return -1;
grub_error_push ();
-
- entry = (int) grub_strtoul (val, 0, 0);
-
- if (grub_errno == GRUB_ERR_BAD_NUMBER)
- {
- /* See if the variable matches the title of a menu entry. */
- grub_menu_entry_t e = menu->entry_list;
- int i;
-
- grub_errno = GRUB_ERR_NONE;
-
- for (i = 0; e; i++)
- {
- if (menuentry_eq (e->title, val)
- || menuentry_eq (e->id, val))
- {
- entry = i;
- break;
- }
- e = e->next;
- }
-
- if (! e)
- entry = -1;
- }
-
- if (grub_errno != GRUB_ERR_NONE)
- {
- grub_errno = GRUB_ERR_NONE;
- entry = -1;
- }
-
+ entry = get_entry_number_helper(menu, val, &tail);
+ if (*tail != '\0')
+ entry = -1;
grub_error_pop ();
return entry;