From: Frediano Ziglio <frediano.ziglio@cloud.com>
Date: Wed, 25 Jun 2025 13:42:40 +0000 (+0100)
Subject: loader/efi/linux: Do not pass excessive size for source string
X-Git-Tag: grub-2.14-rc1~156
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=de4e8e2aa6d181096193edd137aa07608f746d24;p=thirdparty%2Fgrub.git

loader/efi/linux: Do not pass excessive size for source string

The size passed to grub_utf8_to_utf16() for the source string is
used as a limit for the string if NUL character is not encountered.
However, len, which is "strlen(src) * 2 + 2" is surely greater than
strlen(src). Pass the exact correct length.

Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---

diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
index ba268eccb..38d5243fe 100644
--- a/grub-core/loader/efi/linux.c
+++ b/grub-core/loader/efi/linux.c
@@ -191,6 +191,7 @@ grub_arch_efi_linux_boot_image (grub_addr_t addr, grub_size_t size, char *args)
   grub_efi_status_t status;
   grub_efi_loaded_image_t *loaded_image;
   int len;
+  grub_size_t args_len;
 
   mempath = grub_malloc (2 * sizeof (grub_efi_memory_mapped_device_path_t));
   if (!mempath)
@@ -223,7 +224,8 @@ grub_arch_efi_linux_boot_image (grub_addr_t addr, grub_size_t size, char *args)
       grub_error (GRUB_ERR_BAD_FIRMWARE, "missing loaded_image proto");
       goto unload;
     }
-  len = (grub_strlen (args) + 1) * sizeof (grub_efi_char16_t);
+  args_len = grub_strlen (args);
+  len = (args_len + 1) * sizeof (grub_efi_char16_t);
   loaded_image->load_options =
     grub_efi_allocate_any_pages (GRUB_EFI_BYTES_TO_PAGES (len));
   if (!loaded_image->load_options)
@@ -231,7 +233,7 @@ grub_arch_efi_linux_boot_image (grub_addr_t addr, grub_size_t size, char *args)
 
   loaded_image->load_options_size =
     2 * grub_utf8_to_utf16 (loaded_image->load_options, len,
-			    (grub_uint8_t *) args, len, NULL);
+			    (grub_uint8_t *) args, args_len, NULL);
 
   grub_dprintf ("linux", "starting image %p\n", image_handle);
   status = b->start_image (image_handle, 0, NULL);