From c2eb2136b41eb051847ddba68d28de8863a2babd Mon Sep 17 00:00:00 2001
From: Pierre Gondois <pierre.gondois@arm.com>
Date: Thu, 12 Jun 2025 13:28:13 +0200
Subject: [PATCH] ShellPkg/UefiShellLib: Fix Buffer underflow

Having StrLen(Buffer) == 0 results in a Buffer underflow.
Also, StrLen iterates over the Buffer elements until finding a NULL
character. This results in a quadratic search for '\r' characters
in the while loop.

Fix these issues.

Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
---
 ShellPkg/Library/UefiShellLib/UefiShellLib.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ShellPkg/Library/UefiShellLib/UefiShellLib.c b/ShellPkg/Library/UefiShellLib/UefiShellLib.c
index e68c978642..349436f678 100644
--- a/ShellPkg/Library/UefiShellLib/UefiShellLib.c
+++ b/ShellPkg/Library/UefiShellLib/UefiShellLib.c
@@ -4379,6 +4379,7 @@ ShellFileHandleReadLine (
 {
   EFI_STATUS  Status;
   CHAR16      CharBuffer;
+  UINTN       BufferLength;
   UINTN       CharSize;
   UINTN       CountSoFar;
   UINT64      OriginalFilePosition;
@@ -4455,8 +4456,9 @@ ShellFileHandleReadLine (
     return (EFI_BUFFER_TOO_SMALL);
   }
 
-  while (Buffer[StrLen (Buffer)-1] == L'\r') {
-    Buffer[StrLen (Buffer)-1] = CHAR_NULL;
+  BufferLength = StrLen (Buffer);
+  while ((BufferLength != 0) && (Buffer[--BufferLength] == L'\r')) {
+    Buffer[BufferLength] = CHAR_NULL;
   }
 
   return (Status);