commands/usbtest: Use correct string length field

An incorrect length field is used for buffer allocation. This leads to
grub_utf16_to_utf8() receiving an incorrect/different length and possibly
causing OOB write. This makes sure to use the correct length.

Fixes: CVE-2025-61661
Reported-by: Jamie <volticks@gmail.com>
Signed-off-by: Jamie <volticks@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/commands/usbtest.c b/grub-core/commands/usbtest.c
index 2c6d93fe66d5f1d0f322d69106eff9c4f748c53b..8ef187a9ae765c409a8039b7b00d62d750e60eee 100644 (file)
--- a/grub-core/commands/usbtest.c
+++ b/grub-core/commands/usbtest.c
@@ -99,7 +99,7 @@ grub_usb_get_string (grub_usb_device_t dev, grub_uint8_t index, int langid,
       return GRUB_USB_ERR_NONE;
     }
 
-  *string = grub_malloc (descstr.length * 2 + 1);
+  *string = grub_malloc (descstrp->length * 2 + 1);
   if (! *string)
     {
       grub_free (descstrp);