From: Mikhail Ilin <ilin.mikhail.ol@gmail.com>
Date: Tue, 22 Nov 2022 07:33:24 +0000 (+0300)
Subject: efi_loader: Fix buffer underflow
X-Git-Tag: v2025.01-rc5-pxa1908~1205^2~10
X-Git-Url: http://git.dujemihanovic.xyz/html/index.html?a=commitdiff_plain;h=ae182a25f5777f957a2c56539221abcb5648c5c6;p=u-boot.git

efi_loader: Fix buffer underflow

If the array index 'i' < 128, the 'codepage' array is accessed using
[-128...-1] in efi_unicode_collation.c:262. This can lead to a buffer
overflow.

    Negative index in efi_unicode_collation.c:262.

The index of the 'codepage' array should be c - 0x80 instead of i - 0x80.

Fixes: 0bc4b0da7b59 ("efi_loader: EFI_UNICODE_COLLATION_PROTOCOL")
Signed-off-by: Mikhail Ilin <ilin.mikhail.ol@gmail.com>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
---

diff --git a/lib/efi_loader/efi_unicode_collation.c b/lib/efi_loader/efi_unicode_collation.c
index 36be798f64..c4c7572063 100644
--- a/lib/efi_loader/efi_unicode_collation.c
+++ b/lib/efi_loader/efi_unicode_collation.c
@@ -257,7 +257,7 @@ static void EFIAPI efi_fat_to_str(struct efi_unicode_collation_protocol *this,
 	for (i = 0; i < fat_size; ++i) {
 		c = (unsigned char)fat[i];
 		if (c > 0x80)
-			c = codepage[i - 0x80];
+			c = codepage[c - 0x80];
 		string[i] = c;
 		if (!c)
 			break;