hw/uefi: fix parse_hexstr

Make sure we actually have two input characters available before going
to parse two hex digits.  Fixes one byte buffer overflow of the output
buffer in case the input string has an odd number of characters.

Fixes: CVE-2026-48915
Fixes: 12058948ab ("hw/uefi: add var-service-json.c + qapi for NV vars.")
Reported-by: Feifan Qian <bea1e@proton.me>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20260526135948.599148-1-kraxel@redhat.com>
This commit is contained in:
Gerd Hoffmann
2026-05-26 15:59:48 +02:00
parent b0df6e2f2c
commit d6601a7e1c

View File

@@ -98,7 +98,7 @@ static void parse_hexstr(void *dest, char *src, int len)
uint8_t *data = dest;
size_t i;
for (i = 0; i < len; i += 2) {
for (i = 0; i + 1 < len; i += 2) {
*(data++) =
parse_hexchar(src[i]) << 4 |
parse_hexchar(src[i + 1]);