From 9dbfbcd660470c3b951d15af0f6ce5a423185ad2 Mon Sep 17 00:00:00 2001
From: Daniel Kiper <daniel.kiper@oracle.com>
Date: Fri, 23 Jun 2023 00:02:24 +0200
Subject: lib/relocator: Fix OOB write when initializing lo->freebytes[]

Fixes: CID 96636

Reference:https://git.savannah.gnu.org/cgit/grub.git/commit?id=9dbfbcd660470c3b951d15af0f6ce5a423185ad2
Conflict:NA

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
---
 grub-core/lib/relocator.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/grub-core/lib/relocator.c b/grub-core/lib/relocator.c
index 568fc0b..e0478ae 100644
--- a/grub-core/lib/relocator.c
+++ b/grub-core/lib/relocator.c
@@ -881,9 +881,11 @@ malloc_in_range (struct grub_relocator *rel,
 			offend = GRUB_RELOCATOR_FIRMWARE_REQUESTS_QUANT;
 		      lo->freebytes[offstart / 8]
 			&= ((1 << (8 - (start % 8))) - 1);
-		      grub_memset (lo->freebytes + (offstart + 7) / 8, 0,
-				   offend / 8 - (offstart + 7) / 8);
-		      lo->freebytes[offend / 8] &= ~((1 << (offend % 8)) - 1);
+		      if (offend / 8 > (offstart + 7) / 8)
+			grub_memset (lo->freebytes + (offstart + 7) / 8, 0,
+				     offend / 8 - (offstart + 7) / 8);
+		      if (offend < GRUB_RELOCATOR_FIRMWARE_REQUESTS_QUANT)
+			lo->freebytes[offend / 8] &= ~((1 << (offend % 8)) - 1);
 		    }
 		    break;
 #endif
-- 
cgit v1.1