From: Gerd Hoffmann <[email protected]>
Make sure we actually have two input characters available before going
to parse two hex digits. Fixes one byte buffer overflow of the output
buffer in case the input string has an odd number of characters.
Fixes: CVE-2026-48915
Fixes: 12058948abdf ("hw/uefi: add var-service-json.c + qapi for NV vars.")
Reported-by: Feifan Qian <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Gerd Hoffmann <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit d6601a7e1c2452100ed7e4b1d74a70b9acc0abe6)
Signed-off-by: Michael Tokarev <[email protected]>
diff --git a/hw/uefi/var-service-json.c b/hw/uefi/var-service-json.c
index f5f1556833..8621b86c5c 100644
--- a/hw/uefi/var-service-json.c
+++ b/hw/uefi/var-service-json.c
@@ -98,7 +98,7 @@ static void parse_hexstr(void *dest, char *src, int len)
uint8_t *data = dest;
size_t i;
- for (i = 0; i < len; i += 2) {
+ for (i = 0; i + 1 < len; i += 2) {
*(data++) =
parse_hexchar(src[i]) << 4 |
parse_hexchar(src[i + 1]);
--
2.47.3
