libefivar: Fix a buffer overread.

DevPathToTextUsbWWID allocates a separate copy of the SerialNumber string to append a null terminator if the original string is not null terminated. However, by using AllocateCopyPool, it tries to copy 'Length + 1' words from the existing string containing 'Length' characters into the target string. Split the copy out to only copy 'Length' characters instead. Reviewed by: imp, emaste Reported by: GCC 12 -Wstringop-overread Differential Revision: https://reviews.freebsd.org/D36826
2026-05-28 04:12:45 -04:00 · 2022-10-03 16:10:44 -07:00 · 2022-10-03 16:10:44 -07:00 · d30a1689f5
commit d30a1689f5
parent 611cf39267
1 changed files with 2 additions and 1 deletions
--- a/lib/libefivar/efivar-dp-format.c
+++ b/lib/libefivar/efivar-dp-format.c
@ -1049,8 +1049,9 @@ DevPathToTextUsbWWID (
    //
    // In case no NULL terminator in SerialNumber, create a new one with NULL terminator
    //
-    NewStr = AllocateCopyPool ((Length + 1) * sizeof (CHAR16), SerialNumberStr);
+    NewStr = AllocatePool ((Length + 1) * sizeof (CHAR16));
    ASSERT (NewStr != NULL);
+    CopyMem (NewStr, SerialNumberStr, Length * sizeof (CHAR16));
    NewStr[Length]  = 0;
    SerialNumberStr = NewStr;
  }