From: Adrian Vovk Date: Wed, 8 Dec 2021 02:01:46 +0000 (-0500) Subject: stub: Properly null-terminate filenames in pack_cpio_one X-Git-Tag: v250-rc3~66^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bf3f4d16d6426a26638d792f887f8e3fe86def94;p=thirdparty%2Fsystemd.git stub: Properly null-terminate filenames in pack_cpio_one Previously, mangle_filename would write the null terminator, but then wouldn't increment the pointer. Thus, the pad4 call that comes immediately after mangle_filename would trample over the null terminator that mangle_filename wrote. Since the padding is all 0s, this happened to work for the filenames it was tested for However, in some cases, this would cause the pointer to be a different position than predicted. Basically, the predicted size would be one byte bigger than the actual size (the missing null terminator). Usually, this disappeared into the alignment padding at the end of the buffer, but if the buffer was already unexpectedly aligned (b/c it was a byte shorter than expected), this would cause assertion failures. Also, the c_namesize field in the cpio header was incorrect. It didn't include the null terminator, as required by the spec. --- diff --git a/src/boot/efi/cpio.c b/src/boot/efi/cpio.c index d7dd50fc8fa..d4c870284bb 100644 --- a/src/boot/efi/cpio.c +++ b/src/boot/efi/cpio.c @@ -34,7 +34,7 @@ static CHAR8* mangle_filename(CHAR8 *p, const CHAR16 *f) { *(w++) = *f; } - *w = 0; + *(w++) = 0; return w; } @@ -138,7 +138,7 @@ static EFI_STATUS pack_cpio_one( a = write_cpio_word(a, 0); /* minor(dev) */ a = write_cpio_word(a, 0); /* major(rdev) */ a = write_cpio_word(a, 0); /* minor(rdev) */ - a = write_cpio_word(a, target_dir_prefix_size + fname_size + 1); /* fname size */ + a = write_cpio_word(a, target_dir_prefix_size + fname_size + 2); /* fname size */ a = write_cpio_word(a, 0); /* "crc" */ CopyMem(a, target_dir_prefix, target_dir_prefix_size);