commands/usbtest: Use correct string length field

An incorrect length field is used for buffer allocation. This leads to grub_utf16_to_utf8() receiving an incorrect/different length and possibly causing OOB write. This makes sure to use the correct length. Fixes: CVE-2025-61661 Reported-by: Jamie <volticks@gmail.com> Signed-off-by: Jamie <volticks@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2025-07-14 09:52:59 +01:00 · 2025-07-14 09:52:59 +01:00 · 549a9cc372
commit 549a9cc372
parent 9df1e693e7
1 changed files with 1 additions and 1 deletions
--- a/grub-core/commands/usbtest.c
+++ b/grub-core/commands/usbtest.c
@ -99,7 +99,7 @@ grub_usb_get_string (grub_usb_device_t dev, grub_uint8_t index, int langid,
      return GRUB_USB_ERR_NONE;
    }

-  *string = grub_malloc (descstr.length * 2 + 1);
+  *string = grub_malloc (descstrp->length * 2 + 1);
  if (! *string)
    {
      grub_free (descstrp);