From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Wed, 7 Mar 2018 07:51:09 +0000 (+0100)
Subject: systemd-boot: fix off-by-one buffer overrun
X-Git-Tag: v239~576^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F7817%2Fhead;p=thirdparty%2Fsystemd.git

systemd-boot: fix off-by-one buffer overrun

We'd allocate a buffer of some size and then write zero to the byte one after.
---

diff --git a/src/boot/efi/util.c b/src/boot/efi/util.c
index bff8ba8d206..cd75c13f2b4 100644
--- a/src/boot/efi/util.c
+++ b/src/boot/efi/util.c
@@ -327,16 +327,15 @@ EFI_STATUS file_read(EFI_FILE_HANDLE dir, CHAR16 *name, UINTN off, UINTN size, C
                         return err;
         }
 
-        buf = AllocatePool(size);
+        buf = AllocatePool(size + 1);
         err = uefi_call_wrapper(handle->Read, 3, handle, &size, buf);
         if (!EFI_ERROR(err)) {
                 buf[size] = '\0';
                 *content = buf;
                 if (content_size)
                         *content_size = size;
-        } else {
+        } else
                 FreePool(buf);
-        }
 
         uefi_call_wrapper(handle->Close, 1, handle);
         return err;