From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Javier Martinez Canillas Date: Tue, 4 Dec 2018 10:53:49 +0100 Subject: [PATCH] Fix get_entry_number() wrongly dereferencing the tail pointer The get_entry_number_helper() function attempts to lookup a boot entry by either title or id matching the value of an environment variable. If they are a substring of the variable, the tail pointer is set to the first char of the remainder of the string. When get_entry_number() calls this function, it checks if this first char is a NUL byte, to know if the variable matched correctly. But tail can be set to NULL as well to indicate that there isn't a remainder in the string. Resolves: rhbz#1654936 Signed-off-by: Javier Martinez Canillas --- grub-core/normal/menu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c index fc25c702f3c..7e32c498aa8 100644 --- a/grub-core/normal/menu.c +++ b/grub-core/normal/menu.c @@ -563,7 +563,7 @@ get_entry_number (grub_menu_t menu, const char *name) grub_error_push (); entry = get_entry_number_helper(menu, val, &tail); - if (*tail != '\0') + if (tail && *tail != '\0') entry = -1; grub_error_pop ();