[PATCH] efi_loader: Fix buffer underflow If the array index 'i' < 128, the 'codepage' array is accessed using [-128...-1] in efi_unicode_collation.c:262. This can lead to a buffer overflow. Negative index in efi_unicode_collation.c:262. The index of the 'codepage' array should be c-0x80 instead of i-0x80.
Mikhail Ilin
ilin.mikhail.ol at gmail.com
Tue Nov 22 08:33:24 CET 2022
Fixes: 0bc4b0da7b59 ("efi_loader: EFI_UNICODE_COLLATION_PROTOCOL")
Signed-off-by: Mikhail Ilin <ilin.mikhail.ol at gmail.com>
---
lib/efi_loader/efi_unicode_collation.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/efi_loader/efi_unicode_collation.c b/lib/efi_loader/efi_unicode_collation.c
index c700be8756..282045b556 100644
--- a/lib/efi_loader/efi_unicode_collation.c
+++ b/lib/efi_loader/efi_unicode_collation.c
@@ -259,7 +259,7 @@ static void EFIAPI efi_fat_to_str(struct efi_unicode_collation_protocol *this,
for (i = 0; i < fat_size; ++i) {
c = (unsigned char)fat[i];
if (c > 0x80)
- c = codepage[i - 0x80];
+ c = codepage[c - 0x80];
string[i] = c;
if (!c)
break;
--
2.17.1
More information about the U-Boot
mailing list