From 8a72ee927a71806e00d1c7a45d77167f397102ae Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 25 Feb 2015 18:45:41 +0000
Subject: [PATCH 2/2] Fix length of allocated buffer for boot option
 comparison.

The following commit:

  commit 4aac8a1179e160397d7ef8f1e3232cfb4f3373d6
  Author: Gary Ching-Pang Lin <glin@suse.com>
  Date:   Thu Mar 6 10:57:02 2014 +0800

    [fallback] Fix the data size for boot option comparison

corrected the data size used for comparison, but also reduced the
allocation so it doesn't include the trailing UTF16LE '\0\0' at the
end of the string, with the result that the trailer of the buffer
containing the string is overwritten, which OVMF detects as memory
corruption.

Increase the size of the storage buffer in a few places to correct
this problem.

Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Gary Ching-Pang Lin <glin@suse.com>
---
 fallback.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fallback.c b/fallback.c
index e739b78..8489b2e 100644
--- a/fallback.c
+++ b/fallback.c
@@ -163,7 +163,7 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,
 				StrLen(label)*2 + 2 + DevicePathSize(hddp) +
 				StrLen(arguments) * 2;
 
-			CHAR8 *data = AllocateZeroPool(size);
+			CHAR8 *data = AllocateZeroPool(size + 2);
 			CHAR8 *cursor = data;
 			*(UINT32 *)cursor = LOAD_OPTION_ACTIVE;
 			cursor += sizeof (UINT32);
@@ -234,7 +234,7 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp,
 		StrLen(label)*2 + 2 + DevicePathSize(dp) +
 		StrLen(arguments) * 2;
 
-	CHAR8 *data = AllocateZeroPool(size);
+	CHAR8 *data = AllocateZeroPool(size + 2);
 	if (!data)
 		return EFI_OUT_OF_RESOURCES;
 	CHAR8 *cursor = data;
-- 
2.1.0