From: Jan Janssen <medhefgo@web.de>
Date: Mon, 27 Dec 2021 21:41:50 +0000 (+0100)
Subject: boot: Fix off-by-one NUL-termination
X-Git-Tag: v251-rc1~636^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fab82756462fd0ce82836e3d95721954d7ab2527;p=thirdparty%2Fsystemd.git

boot: Fix off-by-one NUL-termination
---

diff --git a/src/boot/efi/bcd.c b/src/boot/efi/bcd.c
index 970c8b1c8ec..1f9f19ba639 100644
--- a/src/boot/efi/bcd.c
+++ b/src/boot/efi/bcd.c
@@ -316,6 +316,6 @@ TEST_STATIC CHAR16 *get_bcd_title(UINT8 *bcd, UINTN bcd_len) {
 
         /* The data should already be NUL-terminated. */
         CHAR16 *title = (CHAR16 *) (bcd + description_value->data_offset);
-        title[description_value->data_size / sizeof(CHAR16)] = '\0';
+        title[description_value->data_size / sizeof(CHAR16) - 1] = '\0';
         return title;
 }
diff --git a/src/boot/efi/util.c b/src/boot/efi/util.c
index 6db4ab39695..76e4eef1eb5 100644
--- a/src/boot/efi/util.c
+++ b/src/boot/efi/util.c
@@ -174,7 +174,7 @@ EFI_STATUS efivar_get(const EFI_GUID *vendor, const CHAR16 *name, CHAR16 **value
                 return EFI_SUCCESS;
 
         /* Return buffer directly if it happens to be NUL terminated already */
-        if (size >= sizeof(CHAR16) && buf[size/sizeof(CHAR16)] == 0) {
+        if (size >= sizeof(CHAR16) && buf[size / sizeof(CHAR16) - 1] == 0) {
                 *value = TAKE_PTR(buf);
                 return EFI_SUCCESS;
         }
@@ -183,7 +183,7 @@ EFI_STATUS efivar_get(const EFI_GUID *vendor, const CHAR16 *name, CHAR16 **value
         val = xallocate_pool(size + sizeof(CHAR16));
 
         CopyMem(val, buf, size);
-        val[size / sizeof(CHAR16)] = 0; /* NUL terminate */
+        val[size / sizeof(CHAR16) - 1] = 0; /* NUL terminate */
 
         *value = val;
         return EFI_SUCCESS;