From: Jamie <[email protected]> An incorrect length field is used for buffer allocation. This leads to grub_utf16_to_utf8() receiving an incorrect/different length and possibly causing OOB write. This makes sure to use the correct length.
Fixes: CVE-2025-61661 Reported-by: Jamie <[email protected]> Signed-off-by: Jamie <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> --- grub-core/commands/usbtest.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/grub-core/commands/usbtest.c b/grub-core/commands/usbtest.c index 2c6d93fe6..8ef187a9a 100644 --- a/grub-core/commands/usbtest.c +++ b/grub-core/commands/usbtest.c @@ -99,7 +99,7 @@ grub_usb_get_string (grub_usb_device_t dev, grub_uint8_t index, int langid, return GRUB_USB_ERR_NONE; } - *string = grub_malloc (descstr.length * 2 + 1); + *string = grub_malloc (descstrp->length * 2 + 1); if (! *string) { grub_free (descstrp); -- 2.11.0 _______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
