oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

[SECURITY PATCH 7/8] commands/usbtest: Use correct string length field

From: Daniel Kiper <daniel.kiper () oracle com>
Date: Tue, 18 Nov 2025 19:00:20 +0100
From: Jamie <volticks () gmail com>

An incorrect length field is used for buffer allocation. This leads to
grub_utf16_to_utf8() receiving an incorrect/different length and possibly
causing OOB write. This makes sure to use the correct length.

Fixes: CVE-2025-61661

Reported-by: Jamie <volticks () gmail com>
Signed-off-by: Jamie <volticks () gmail com>
Reviewed-by: Daniel Kiper <daniel.kiper () oracle com>
---
 grub-core/commands/usbtest.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/grub-core/commands/usbtest.c b/grub-core/commands/usbtest.c
index 2c6d93fe6..8ef187a9a 100644
--- a/grub-core/commands/usbtest.c
+++ b/grub-core/commands/usbtest.c
@@ -99,7 +99,7 @@ grub_usb_get_string (grub_usb_device_t dev, grub_uint8_t index, int langid,
       return GRUB_USB_ERR_NONE;
     }
 
-  *string = grub_malloc (descstr.length * 2 + 1);
+  *string = grub_malloc (descstrp->length * 2 + 1);
   if (! *string)
     {
       grub_free (descstrp);
-- 
2.11.0
Previous By Date Next
Previous By Thread Next

Current thread: