The size passed to grub_utf8_to_utf16 for the source string is
used as a limit for the string if NUL character is not encountered
however len, which is strlen(src)*2+2 is surely greater than
strlen(src).
Pass the exact correct length.

Signed-off-by: Frediano Ziglio <frediano.zig...@cloud.com>
---
Changes since v3:
- pass exact size, not -1.
---
 grub-core/loader/efi/linux.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
index ba268eccb..38d5243fe 100644
--- a/grub-core/loader/efi/linux.c
+++ b/grub-core/loader/efi/linux.c
@@ -191,6 +191,7 @@ grub_arch_efi_linux_boot_image (grub_addr_t addr, 
grub_size_t size, char *args)
   grub_efi_status_t status;
   grub_efi_loaded_image_t *loaded_image;
   int len;
+  grub_size_t args_len;
 
   mempath = grub_malloc (2 * sizeof (grub_efi_memory_mapped_device_path_t));
   if (!mempath)
@@ -223,7 +224,8 @@ grub_arch_efi_linux_boot_image (grub_addr_t addr, 
grub_size_t size, char *args)
       grub_error (GRUB_ERR_BAD_FIRMWARE, "missing loaded_image proto");
       goto unload;
     }
-  len = (grub_strlen (args) + 1) * sizeof (grub_efi_char16_t);
+  args_len = grub_strlen (args);
+  len = (args_len + 1) * sizeof (grub_efi_char16_t);
   loaded_image->load_options =
     grub_efi_allocate_any_pages (GRUB_EFI_BYTES_TO_PAGES (len));
   if (!loaded_image->load_options)
@@ -231,7 +233,7 @@ grub_arch_efi_linux_boot_image (grub_addr_t addr, 
grub_size_t size, char *args)
 
   loaded_image->load_options_size =
     2 * grub_utf8_to_utf16 (loaded_image->load_options, len,
-                           (grub_uint8_t *) args, len, NULL);
+                           (grub_uint8_t *) args, args_len, NULL);
 
   grub_dprintf ("linux", "starting image %p\n", image_handle);
   status = b->start_image (image_handle, 0, NULL);
-- 
2.49.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to