From 7ea00155b20db923833b8d3564c897b8ecf3fcc1 Mon Sep 17 00:00:00 2001 From: Vladimir Serbinenko Date: Wed, 15 Jan 2014 22:06:56 +0100 Subject: libpayload/options: Fix out of array read. It resulted in garbage in upper bytes of numeric options. Change-Id: I5e5d8b770ed93c7e8a1756a5ce32444b6a045bac Signed-off-by: Vladimir Serbinenko Reviewed-on: http://review.coreboot.org/4691 Tested-by: build bot (Jenkins) Reviewed-by: Paul Menzel Reviewed-by: Nico Huber --- payloads/libpayload/drivers/options.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'payloads/libpayload/drivers') diff --git a/payloads/libpayload/drivers/options.c b/payloads/libpayload/drivers/options.c index d497c0aae6..70c2b1760d 100644 --- a/payloads/libpayload/drivers/options.c +++ b/payloads/libpayload/drivers/options.c @@ -310,6 +310,10 @@ int get_option_as_string(const struct nvram_accessor *nvram, struct cb_cmos_opti return 1; int cmos_length = (cmos_entry->length+7)/8; + /* ensure we have enough space for u64 */ + if (cmos_length < 8) + cmos_length = 8; + /* extra byte to ensure 0-terminated strings */ raw = malloc(cmos_length+1); memset(raw, 0, cmos_length+1); -- cgit v1.2.3