[PATCH] efi_loader: Fix buffer underflow If the array index 'i' < 128, the 'codepage' array is accessed using [-128...-1] in efi_unicode_collation.c:262. This can lead to a buffer overflow. Negative index in efi_unicode_collation.c:262. The index of the 'codepage' array should be c-0x80 instead of i-0x80.
Heinrich Schuchardt
xypron.glpk at gmx.de
Tue Nov 22 11:38:20 CET 2022
On 11/22/22 08:33, Mikhail Ilin wrote:
> Fixes: 0bc4b0da7b59 ("efi_loader: EFI_UNICODE_COLLATION_PROTOCOL")
Thank you for reporting the problem.
The commit message should not be in the title.
Otherwise:
Reviewed-by: Heinrich Schuchardt <xypron.glpk at gmx.de>
> Signed-off-by: Mikhail Ilin <ilin.mikhail.ol at gmail.com>
> ---
> lib/efi_loader/efi_unicode_collation.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/efi_loader/efi_unicode_collation.c b/lib/efi_loader/efi_unicode_collation.c
> index c700be8756..282045b556 100644
> --- a/lib/efi_loader/efi_unicode_collation.c
> +++ b/lib/efi_loader/efi_unicode_collation.c
> @@ -259,7 +259,7 @@ static void EFIAPI efi_fat_to_str(struct efi_unicode_collation_protocol *this,
> for (i = 0; i < fat_size; ++i) {
> c = (unsigned char)fat[i];
> if (c > 0x80)
> - c = codepage[i - 0x80];
> + c = codepage[c - 0x80];
> string[i] = c;
> if (!c)
> break;
More information about the U-Boot
mailing list