From: Daniel Kiper <daniel.kiper@oracle.com>
Date: Thu, 22 Jun 2023 22:02:24 +0000 (+0200)
Subject: lib/relocator: Fix OOB write when initializing lo->freebytes[]
X-Git-Tag: grub-2.12-rc1~17
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9dbfbcd660470c3b951d15af0f6ce5a423185ad2;p=thirdparty%2Fgrub.git

lib/relocator: Fix OOB write when initializing lo->freebytes[]

Fixes: CID 96636

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
---

diff --git a/grub-core/lib/relocator.c b/grub-core/lib/relocator.c
index 568fc0b8f..e0478ae5b 100644
--- a/grub-core/lib/relocator.c
+++ b/grub-core/lib/relocator.c
@@ -881,9 +881,11 @@ malloc_in_range (struct grub_relocator *rel,
 			offend = GRUB_RELOCATOR_FIRMWARE_REQUESTS_QUANT;
 		      lo->freebytes[offstart / 8]
 			&= ((1 << (8 - (start % 8))) - 1);
-		      grub_memset (lo->freebytes + (offstart + 7) / 8, 0,
-				   offend / 8 - (offstart + 7) / 8);
-		      lo->freebytes[offend / 8] &= ~((1 << (offend % 8)) - 1);
+		      if (offend / 8 > (offstart + 7) / 8)
+			grub_memset (lo->freebytes + (offstart + 7) / 8, 0,
+				     offend / 8 - (offstart + 7) / 8);
+		      if (offend < GRUB_RELOCATOR_FIRMWARE_REQUESTS_QUANT)
+			lo->freebytes[offend / 8] &= ~((1 << (offend % 8)) - 1);
 		    }
 		    break;
 #endif