Commit d6601a7e1c for qemu.org

commit d6601a7e1c2452100ed7e4b1d74a70b9acc0abe6
Author: Gerd Hoffmann <kraxel@redhat.com>
Date:   Tue May 26 15:59:48 2026 +0200

    hw/uefi: fix parse_hexstr

    Make sure we actually have two input characters available before going
    to parse two hex digits.  Fixes one byte buffer overflow of the output
    buffer in case the input string has an odd number of characters.

    Fixes: CVE-2026-48915
    Fixes: 12058948abdf ("hw/uefi: add var-service-json.c + qapi for NV vars.")
    Reported-by: Feifan Qian <bea1e@proton.me>
    Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
    Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
    Message-ID: <20260526135948.599148-1-kraxel@redhat.com>

diff --git a/hw/uefi/var-service-json.c b/hw/uefi/var-service-json.c
index f5f1556833..8621b86c5c 100644
--- a/hw/uefi/var-service-json.c
+++ b/hw/uefi/var-service-json.c
@@ -98,7 +98,7 @@ static void parse_hexstr(void *dest, char *src, int len)
     uint8_t *data = dest;
     size_t i;

-    for (i = 0; i < len; i += 2) {
+    for (i = 0; i + 1 < len; i += 2) {
         *(data++) =
             parse_hexchar(src[i]) << 4 |
             parse_hexchar(src[i + 1]);