lib/relocator: Fix OOB write when initializing lo->freebytes[]

Fixes: CID 96636
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>

diff --git a/grub-core/lib/relocator.c b/grub-core/lib/relocator.c
index 568fc0b8ffb17829e6550e973382c5ed8ecf29b7..e0478ae5ba33bc17eee6f87f268bd6a79ce19ca9 100644 (file)
--- a/grub-core/lib/relocator.c
+++ b/grub-core/lib/relocator.c
@@ -881,9 +881,11 @@ malloc_in_range (struct grub_relocator *rel,
                        offend = GRUB_RELOCATOR_FIRMWARE_REQUESTS_QUANT;
                      lo->freebytes[offstart / 8]
                        &= ((1 << (8 - (start % 8))) - 1);
-                     grub_memset (lo->freebytes + (offstart + 7) / 8, 0,
-                                  offend / 8 - (offstart + 7) / 8);
-                     lo->freebytes[offend / 8] &= ~((1 << (offend % 8)) - 1);
+                     if (offend / 8 > (offstart + 7) / 8)
+                       grub_memset (lo->freebytes + (offstart + 7) / 8, 0,
+                                    offend / 8 - (offstart + 7) / 8);
+                     if (offend < GRUB_RELOCATOR_FIRMWARE_REQUESTS_QUANT)
+                       lo->freebytes[offend / 8] &= ~((1 << (offend % 8)) - 1);
                    }
                    break;
 #endif