grub2/debian/patches/misc-fix-invalid-char-strtol.patch

From d1029b7aa12849339d1f23dfecb17afeb4fa292b Mon Sep 17 00:00:00 2001
From: Aaron Miller <aaronmiller@fb.com>
Date: Thu, 27 Oct 2016 17:33:07 -0400
Subject: misc: fix invalid character recongition in strto*l

Would previously allow digits larger than the base and didn't check that
subtracting the difference from 0-9 to lowercase letters for characters
larger than 9 didn't result in a value lower than 9, which allowed the
parses: ` = 9, _ = 8, ^ = 7, ] = 6, \ = 5, and [ = 4

Patch-Name: misc-fix-invalid-char-strtol.patch
---
 grub-core/kern/misc.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
index d1a54df6c..3a14d679e 100644
--- a/grub-core/kern/misc.c
+++ b/grub-core/kern/misc.c
@@ -394,9 +394,13 @@ grub_strtoull (const char *str, char **end, int base)
       if (digit > 9)
 	{
 	  digit += '0' - 'a' + 10;
-	  if (digit >= (unsigned long) base)
+	  /* digit <= 9 check is needed to keep chars larger than
+	     '9' but less than 'a' from being read as numbers */
+	  if (digit >= (unsigned long) base || digit <= 9)
 	    break;
 	}
+      if (digit >= (unsigned long) base)
+	break;
 
       found = 1;