[PATCH master 14/39] efi: loader: fix HII string table realloc and memset bugs
Ahmad Fatoum
a.fatoum at pengutronix.de
Mon Feb 16 00:44:14 PST 2026
Three bugs in the set_string HII protocol implementation when
expanding the string table:
1. The memset used stbl->strings which still points to the old
(potentially freed) buffer after realloc. Move the
'stbl->strings = buf' assignment before the memset.
2. The memset offset was string_id-1 (the target slot) instead of
stbl->nstrings (the first uninitialized slot), leaving a gap of
uninitialized entries.
3. stbl->nstrings was never updated after expansion, causing every
subsequent set_string to re-expand and re-zero the table.
Co-Authored-By: Claude Opus 4.6 <noreply at anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
---
efi/loader/protocols/hii.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/efi/loader/protocols/hii.c b/efi/loader/protocols/hii.c
index f35489eba283..f9719a91a94a 100644
--- a/efi/loader/protocols/hii.c
+++ b/efi/loader/protocols/hii.c
@@ -977,10 +977,11 @@ set_string(const struct efi_hii_string_protocol *this,
if (!buf)
return EFI_EXIT(EFI_OUT_OF_RESOURCES);
- memset(&stbl->strings[string_id - 1], 0,
+ stbl->strings = buf;
+ memset(&stbl->strings[stbl->nstrings], 0,
(string_id - stbl->nstrings)
* sizeof(stbl->strings[0]));
- stbl->strings = buf;
+ stbl->nstrings = string_id;
}
str = u16_strdup(string);
--
2.47.3
More information about the barebox
mailing list