On Mon, Jun 23, 2025 at 12:33 PM Frediano Ziglio via Grub-devel
<grub-devel@gnu.org> wrote:
>
> If a simple string for arguments are passed it should be NUL
> terminated. This is true for other code but not for "linux"
> command.
>
> Signed-off-by: Frediano Ziglio <frediano.zig...@cloud.com>
> ---
>  grub-core/loader/efi/linux.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
> index 78ea07ca8..afda6ef8f 100644
> --- a/grub-core/loader/efi/linux.c
> +++ b/grub-core/loader/efi/linux.c
> @@ -190,7 +190,7 @@ grub_arch_efi_linux_boot_image (grub_addr_t addr, 
> grub_size_t size, char *args)
>    grub_efi_boot_services_t *b;
>    grub_efi_status_t status;
>    grub_efi_loaded_image_t *loaded_image;
> -  int len;
> +  grub_size_t len;
>
>    mempath = grub_malloc (2 * sizeof (grub_efi_memory_mapped_device_path_t));
>    if (!mempath)
> @@ -230,9 +230,10 @@ grub_arch_efi_linux_boot_image (grub_addr_t addr, 
> grub_size_t size, char *args)
>    if (!loaded_image->load_options)
>      return grub_errno;
>
> -  loaded_image->load_options_size =
> -    2 * grub_utf8_to_utf16 (loaded_image->load_options, len,
> -                           (grub_uint8_t *) args, len, NULL);
> +  len = grub_utf8_to_utf16 (loaded_image->load_options, len,
> +                           (grub_uint8_t *) args, (grub_size_t) -1, NULL);
> +  ((grub_efi_char16_t*)loaded_image->load_options)[len++] = 0; /* NUL 
> terminate */
> +  loaded_image->load_options_size = len * sizeof (grub_efi_char16_t);
>

According to the description, grub_utf8_to_utf16 may return -1 which
would be a problem here since it is then used as an array index.

The assignment of loaded_image->load_options_size just above (out of the
patch context) seems unnecessary now.

Ross

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to