From 6b2510522f92026dc17e1c5508bbfab935741012 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 25 Feb 2015 18:45:41 +0000
Subject: Fix length of allocated buffer for boot option comparison.

The following commit:

  commit 4aac8a1179e160397d7ef8f1e3232cfb4f3373d6
  Author: Gary Ching-Pang Lin <glin@suse.com>
  Date:   Thu Mar 6 10:57:02 2014 +0800

    [fallback] Fix the data size for boot option comparison

corrected the data size used for comparison, but also reduced the
allocation so it doesn't include the trailing UTF16LE '\0\0' at the
end of the string, with the result that the trailer of the buffer
containing the string is overwritten, which OVMF detects as memory
corruption.

Increase the size of the storage buffer in a few places to correct
this problem.

Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Gary Ching-Pang Lin <glin@suse.com>
---
 fallback.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'fallback.c')

diff --git a/fallback.c b/fallback.c
index e739b78b..8489b2e8 100644
--- a/fallback.c
+++ b/fallback.c
@@ -163,7 +163,7 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,
 				StrLen(label)*2 + 2 + DevicePathSize(hddp) +
 				StrLen(arguments) * 2;
 
-			CHAR8 *data = AllocateZeroPool(size);
+			CHAR8 *data = AllocateZeroPool(size + 2);
 			CHAR8 *cursor = data;
 			*(UINT32 *)cursor = LOAD_OPTION_ACTIVE;
 			cursor += sizeof (UINT32);
@@ -234,7 +234,7 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp,
 		StrLen(label)*2 + 2 + DevicePathSize(dp) +
 		StrLen(arguments) * 2;
 
-	CHAR8 *data = AllocateZeroPool(size);
+	CHAR8 *data = AllocateZeroPool(size + 2);
 	if (!data)
 		return EFI_OUT_OF_RESOURCES;
 	CHAR8 *cursor = data;
-- 
cgit v1.2.3