From eeb2443cdbe0eebb1c4db3ddd2c6819ccba5f046 Mon Sep 17 00:00:00 2001
From: Shihao Xia <charlesxsh@hotmail.com>
Date: Thu, 27 Mar 2025 21:35:59 -0400
Subject: [PATCH 1/2] init

---
 crates/redox_uefi_std/RUSTSEC-0000-0000.md | 47 ++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 crates/redox_uefi_std/RUSTSEC-0000-0000.md

diff --git a/crates/redox_uefi_std/RUSTSEC-0000-0000.md b/crates/redox_uefi_std/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000000..15300e402f
--- /dev/null
+++ b/crates/redox_uefi_std/RUSTSEC-0000-0000.md
@@ -0,0 +1,47 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "redox_uefi_std"
+date = "2025-03-27"
+url = "https://gitlab.redox-os.org/redox-os/uefi/-/tree/master/crates/uefi_std"
+informational = "unsound"
+categories = ["memory-corruption"]
+keywords = ["out-of-bounds read"]
+
+```
+
+# Safe API can cause heap-buffer-overflow
+
+In redox_uefi_std's src/ffi.rs:
+```rust
+pub fn nstr(wstring: *const u16) -> String {
+    let mut string = String::new();
+
+    let mut i = 0;
+    loop {
+        let w = unsafe { *wstring.offset(i) };
+        i += 1;
+        if w == 0 {
+            break;
+        }
+        let c = unsafe { char::from_u32_unchecked(w as u32) };
+        string.push(c);
+    }
+
+    string
+}
+```
+
+Any non-zero ended array of type-mimatch(casted from u8  array) can easily cause heap buffer overflow
+```example
+fn main() {
+  let wstring:Vec<u16> = vec![0x68, 0x65, 0x6c, 0x6c, 0x6f, 0x12];
+  let wstring_ptr = wstring.as_ptr() as *const u16;
+  let string = nstr(wstring_ptr);
+}
+```
+
+ASAN output
+```
+==1219432==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000000014 at pc 0x55c4566796c2 bp 0x7ffc1f81e530 sp 0x7ffc1f81e528
+```
\ No newline at end of file

From 5fd50fa90a263a0d9ff3681e250e0b806c77ccf3 Mon Sep 17 00:00:00 2001
From: Shihao Xia <charlesxsh@hotmail.com>
Date: Fri, 25 Apr 2025 15:19:48 -0400
Subject: [PATCH 2/2] fix linting issue

---
 crates/redox_uefi_std/RUSTSEC-0000-0000.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/crates/redox_uefi_std/RUSTSEC-0000-0000.md b/crates/redox_uefi_std/RUSTSEC-0000-0000.md
index 15300e402f..f08d84c26b 100644
--- a/crates/redox_uefi_std/RUSTSEC-0000-0000.md
+++ b/crates/redox_uefi_std/RUSTSEC-0000-0000.md
@@ -8,6 +8,10 @@ informational = "unsound"
 categories = ["memory-corruption"]
 keywords = ["out-of-bounds read"]
 
+[versions]
+patched = []
+unaffected = []
+
 ```
 
 # Safe API can cause heap-buffer-overflow