From f4810191576cd4c766633442f6e7c5e2208c8f62 Mon Sep 17 00:00:00 2001
From: "John S. Gruber" <JohnSGruber@gmail.com>
Date: Mon, 24 Apr 2017 14:44:59 -0400
Subject: [PATCH] Fix buffer overrun / damaged options passed to second_stage.

start is a UCS-2 character pointer and loader_len is a number of bytes.
Adjust loader_len to count characters before adding to the start pointer.
---
 shim.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shim.c b/shim.c
index 9de177f..f8a1e67 100644
--- a/shim.c
+++ b/shim.c
@@ -2531,7 +2531,7 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle)
 		loader_str[loader_len/2-1] = L'\0';
 
 		second_stage = loader_str;
-		load_options = remaining_size ? start + loader_len : NULL;
+		load_options = remaining_size ? start + (loader_len/2) : NULL;
 		load_options_size = remaining_size;
 	}