Fix stack overflow caused by infinite recursion

marta-lewandowska · marta-lewandowska · commit 2815924fe357 · 2026-04-23T13:55:05.000+02:00
if p < 4 the loop will continue forever because efidp_node_size (called by efidp_size) returns -1 if the length of the args passed to it are < 4. Resolves: bz#2459982 Resolves: CVE-2026-6862 Signed-off-by: Marta Lewandowska
diff --git a/src/loadopt.c b/src/loadopt.c
@@ -126,6 +126,8 @@ efi_loadopt_optional_data_size(efi_load_option *opt, size_t size)
 	 * need to test it.  if it /is/ size, there's no optional data. */
 	sz = ucs2size(opt->description, ret);
 	p = (uint8_t *)(opt->description) + sz;
+	if (sizeof(p) < 4)
+		return -1;
 	ret -= sz;
 	if (ret < 0) {
 		efi_error("leftover size is negative (%zd)", ret);
