usb: sandbox: Check for string end in copy_to_unicode()

When copying the string in copy_to_unicode(), check for the null
terminator in each position, not just at the start, to avoid reading
beyond the end of the string.

Signed-off-by: Andrew Scull <ascull@google.com>
Cc: Simon Glass <sjg@chromium.org>
Cc: Marek Vasut <marex@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>

diff --git a/drivers/usb/emul/usb-emul-uclass.c b/drivers/usb/emul/usb-emul-uclass.c
index 05f6d3d..b31dc95 100644 (file)
--- a/drivers/usb/emul/usb-emul-uclass.c
+++ b/drivers/usb/emul/usb-emul-uclass.c
@@ -15,13 +15,12 @@
 static int copy_to_unicode(char *buff, int length, const char *str)
 {
        int ptr;
-       int i;
 
        if (length < 2)
                return 0;
        buff[1] = USB_DT_STRING;
-       for (ptr = 2, i = 0; ptr + 1 < length && *str; i++, ptr += 2) {
-               buff[ptr] = str[i];
+       for (ptr = 2; ptr + 1 < length && *str; str++, ptr += 2) {
+               buff[ptr] = *str;
                buff[ptr + 1] = 0;
        }
        buff[0] = ptr;