From 8a72ee927a71806e00d1c7a45d77167f397102ae Mon Sep 17 00:00:00 2001

From: Laszlo Ersek <lersek@redhat.com>

Date: Wed, 25 Feb 2015 18:45:41 +0000

Subject: [PATCH 2/2] Fix length of allocated buffer for boot option

 comparison.

The following commit:

  commit 4aac8a1179e160397d7ef8f1e3232cfb4f3373d6

  Author: Gary Ching-Pang Lin <glin@suse.com>

  Date:   Thu Mar 6 10:57:02 2014 +0800

    [fallback] Fix the data size for boot option comparison

corrected the data size used for comparison, but also reduced the

allocation so it doesn't include the trailing UTF16LE '\0\0' at the

end of the string, with the result that the trailer of the buffer

containing the string is overwritten, which OVMF detects as memory

corruption.

Increase the size of the storage buffer in a few places to correct

this problem.

Signed-off-by: Richard W.M. Jones <rjones@redhat.com>

Cc: Laszlo Ersek <lersek@redhat.com>

Cc: Gary Ching-Pang Lin <glin@suse.com>

---

 fallback.c | 4 ++--

 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fallback.c b/fallback.c

index e739b78..8489b2e 100644

--- a/fallback.c

+++ b/fallback.c

@@ -163,7 +163,7 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,

 				StrLen(label)*2 + 2 + DevicePathSize(hddp) +

 				StrLen(arguments) * 2;

-			CHAR8 *data = AllocateZeroPool(size);

+			CHAR8 *data = AllocateZeroPool(size + 2);

 			CHAR8 *cursor = data;

 			*(UINT32 *)cursor = LOAD_OPTION_ACTIVE;

 			cursor += sizeof (UINT32);

@@ -234,7 +234,7 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp,

 		StrLen(label)*2 + 2 + DevicePathSize(dp) +

 		StrLen(arguments) * 2;

-	CHAR8 *data = AllocateZeroPool(size);

+	CHAR8 *data = AllocateZeroPool(size + 2);

 	if (!data)

 		return EFI_OUT_OF_RESOURCES;

 	CHAR8 *cursor = data;

-- 

2.1.0