efi_loader: Fix buffer underflow If the array index 'i' < 128, the 'codepage' array is accessed using [-128...-1] in efi_unicode_collation.c:262. This can lead to a buffer overflow. Negative index in efi_unicode_collation.c:262. The index of the 'codepage' array should be c - 0x80 instead of i - 0x80. Fixes: 0bc4b0da7b59 ("efi_loader: EFI_UNICODE_COLLATION_PROTOCOL") Signed-off-by: Mikhail Ilin <ilin.mikhail.ol@gmail.com> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>

commit: 5e19eae8f2c108826865c69d2f63c7b68fddd82b [log] [tgz]
author: Mikhail Ilin <ilin.mikhail.ol@gmail.com> Tue Nov 22 10:33:24 2022 +0300
committer: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Tue Nov 22 11:54:30 2022 +0100
tree: ddf29b4f6ef1794194768677f4ae79c1715b3b35
parent: b4be38345ef8e5595e7db4c98a0b944069fe9b13 [diff]
diff --git a/lib/efi_loader/efi_unicode_collation.c b/lib/efi_loader/efi_unicode_collation.c
index 36be798..c4c7572 100644
--- a/lib/efi_loader/efi_unicode_collation.c
+++ b/lib/efi_loader/efi_unicode_collation.c

@@ -257,7 +257,7 @@
 	for (i = 0; i < fat_size; ++i) {
 		c = (unsigned char)fat[i];
 		if (c > 0x80)
-			c = codepage[i - 0x80];
+			c = codepage[c - 0x80];
 		string[i] = c;
 		if (!c)
 			break;
commit	5e19eae8f2c108826865c69d2f63c7b68fddd82b	[log] [tgz]
author	Mikhail Ilin <ilin.mikhail.ol@gmail.com>	Tue Nov 22 10:33:24 2022 +0300
committer	Heinrich Schuchardt <heinrich.schuchardt@canonical.com>	Tue Nov 22 11:54:30 2022 +0100
tree	ddf29b4f6ef1794194768677f4ae79c1715b3b35
parent	b4be38345ef8e5595e7db4c98a0b944069fe9b13 [diff]