From 190572b7142e6cbfd6ce3ab5a6ad9e528a5a8f89 Mon Sep 17 00:00:00 2001
From: Tom <tomut@yahoo.com>
Date: Sun, 2 Jan 2022 16:25:08 -0700
Subject: [PATCH] Kernel: Fix possible buffer overrun when scanning a MappedROM

If the length of the prefix was less than the chunk_size argument
we were potentionally reading past the mapped memory region.
---
 Kernel/Memory/MappedROM.h | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/Kernel/Memory/MappedROM.h b/Kernel/Memory/MappedROM.h
index 791cf3d43d..e80870c8f2 100644
--- a/Kernel/Memory/MappedROM.h
+++ b/Kernel/Memory/MappedROM.h
@@ -23,7 +23,10 @@ public:
 
     Optional<PhysicalAddress> find_chunk_starting_with(StringView prefix, size_t chunk_size) const
     {
-        for (auto* candidate = base(); candidate < end(); candidate += chunk_size) {
+        auto prefix_length = prefix.length();
+        if (size < prefix_length)
+            return {};
+        for (auto* candidate = base(); candidate <= end() - prefix_length; candidate += chunk_size) {
             if (!__builtin_memcmp(prefix.characters_without_null_termination(), candidate, prefix.length()))
                 return paddr_of(candidate);
         }