EFI memory map iteration casts the raw map buffer to EFI descriptors.
Reject descriptor sizes that are too small or break descriptor alignment
before constructing that iterator.

Indexed framebuffer tags encode the palette length inside the tag body.
Validate that the declared palette fits in the remaining payload before
creating the palette slice.

Multiboot2 headers must terminate the optional tag list with an end tag.
Build generated headers with that terminator and fix the end-tag
constructor to emit the correct tag type.

The chainloader must clear every byte between file size and memory size
for loaded segments. Use write_bytes after checking the ELF segment
sizes instead of writing the same destination byte repeatedly.

Callers need to distinguish malformed reported sizes from the amount of
data that was actually available. Carry both values in memory validation
errors so higher-level parsers can preserve that context.

A checksum mismatch without values is hard to diagnose when scanning
candidate headers. Preserve both the provided checksum and the
calculated checksum in the public error.

The Multiboot2 specification requires the optional tag list to end with
a terminator. Reject loaded headers that do not contain that final end
tag instead of accepting a structurally incomplete header.

Header search should not return raw bytes from a narrow fixed window
without validating the candidate. Scan the full Multiboot2 search range,
reject malformed candidate sizes, and return the parsed header with its
offset.

Boot information is a transparent reference wrapper around the validated
dynamic structure. Derive equality so callers and tests can compare
wrappers directly.

Already in the prelude

Add a shared validator for padded Multiboot2 tag sequences.
Both loaded boot information and loaded headers need the same checks
for short tag headers, undersized tag records, padding, and overrun
against the enclosing structure.

Validate the complete padded tag sequence in Multiboot2Header::load
instead of only checking that the final bytes look like an end tag.
This rejects malformed inner tag sizes before callers can iterate over
them as infallible header tags.

Validate the complete padded tag sequence in BootInformation::load
instead of only checking that the final bytes look like an end tag.
This rejects malformed inner tag sizes before callers can iterate over
them as infallible boot information tags.