tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
audk/MdePkg/Library/BaseSafeIntLib/SafeIntLib.c

4166 lines
118 KiB
C
Raw Normal View History

MdePkg/BaseSafeIntLib: Add SafeIntLib class and instance https://bugzilla.tianocore.org/show_bug.cgi?id=798 SafeIntLib provides helper functions to prevent integer overflow during type conversion, addition, subtraction, and multiplication. Conversion Functions ==================== * Converting from a signed type to an unsigned type of the same size, or vice-versa. * Converting to a smaller type that could possibly overflow. * Converting from a signed type to a larger unsigned type. Unsigned Addition, Subtraction, Multiplication =============================================== * Unsigned integer math functions protect from overflow and underflow (in case of subtraction). Signed Addition, Subtraction, Multiplication ============================================ * Strongly consider using unsigned numbers. * Signed numbers are often used where unsigned numbers should be used. For example file sizes and array indices should always be unsigned. Subtracting a larger positive signed number from a smaller positive signed number with SafeInt32Sub() will succeed, producing a negative number, that then must not be used as an array index (but can occasionally be used as a pointer index.) Similarly for adding a larger magnitude negative number to a smaller magnitude positive number. * SafeIntLib does not protect you from such errors. It tells you if your integer operations overflowed, not if you are doing the right thing with your non-overflowed integers. * Likewise you can overflow a buffer with a non-overflowed unsigned index. Based on content from the following branch/commits: https://github.com/Microsoft/MS_UEFI/tree/share/MsCapsuleSupport https://github.com/Microsoft/MS_UEFI/commit/21ef3a321c907b40fa93797619c9f6c686dd92e0 https://github.com/Microsoft/MS_UEFI/commit/ca516b1a61315c2d823f453e12d2135098f53d61 https://github.com/Microsoft/MS_UEFI/commit/33bab4031a417d7d5a7d356c15a14c2e60302b2d Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Liming Gao <liming.gao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com> Reviewed-by: Liming Gao <liming.gao@intel.com>
2017-04-25 01:37:20 +02:00
/** @file
This library provides helper functions to prevent integer overflow during
type conversion, addition, subtraction, and multiplication.
Copyright (c) 2017, Microsoft Corporation
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
**/
#include <Base.h>
#include <Library/SafeIntLib.h>
MdePkg/BaseSafeIntLib: Fix VS2015 IA32 NOOPT build failure v2: Add [LibraryClasses] section in INF file and refine coding style. There are VS2015 NOOPT IA32 build failure like below in BaseSafeIntLib. XXX.lib(XXX.obj): error LNK2001: unresolved external symbol __allmul XXX.lib(XXX.obj): error LNK2001: unresolved external symbol __allshl XXX.lib(XXX.obj): error LNK2001: unresolved external symbol __aullshr This patch replaces direct shift/multiplication of 64-bit integer with related function call to fix these failure. Cc: Laszlo Ersek <lersek@redhat.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Michael Kinney <michael.d.kinney@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Dandan Bi <dandan.bi@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2018-02-26 04:55:15 +01:00
#include <Library/BaseLib.h>
MdePkg/BaseSafeIntLib: Add SafeIntLib class and instance https://bugzilla.tianocore.org/show_bug.cgi?id=798 SafeIntLib provides helper functions to prevent integer overflow during type conversion, addition, subtraction, and multiplication. Conversion Functions ==================== * Converting from a signed type to an unsigned type of the same size, or vice-versa. * Converting to a smaller type that could possibly overflow. * Converting from a signed type to a larger unsigned type. Unsigned Addition, Subtraction, Multiplication =============================================== * Unsigned integer math functions protect from overflow and underflow (in case of subtraction). Signed Addition, Subtraction, Multiplication ============================================ * Strongly consider using unsigned numbers. * Signed numbers are often used where unsigned numbers should be used. For example file sizes and array indices should always be unsigned. Subtracting a larger positive signed number from a smaller positive signed number with SafeInt32Sub() will succeed, producing a negative number, that then must not be used as an array index (but can occasionally be used as a pointer index.) Similarly for adding a larger magnitude negative number to a smaller magnitude positive number. * SafeIntLib does not protect you from such errors. It tells you if your integer operations overflowed, not if you are doing the right thing with your non-overflowed integers. * Likewise you can overflow a buffer with a non-overflowed unsigned index. Based on content from the following branch/commits: https://github.com/Microsoft/MS_UEFI/tree/share/MsCapsuleSupport https://github.com/Microsoft/MS_UEFI/commit/21ef3a321c907b40fa93797619c9f6c686dd92e0 https://github.com/Microsoft/MS_UEFI/commit/ca516b1a61315c2d823f453e12d2135098f53d61 https://github.com/Microsoft/MS_UEFI/commit/33bab4031a417d7d5a7d356c15a14c2e60302b2d Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Liming Gao <liming.gao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com> Reviewed-by: Liming Gao <liming.gao@intel.com>
2017-04-25 01:37:20 +02:00
//
// Magnitude of MIN_INT64 as expressed by a UINT64 number.
//
MdePkg/BaseSafeIntLib: clean up parentheses in MIN_INT64_MAGNITUDE The definition of the MIN_INT64_MAGNITUDE macro is correct, but it's harder to read than necessary: the sub-expression (( (UINT64) - (MIN_INT64 + 1) )) is doubly parenthesized. Reusing one pair of the outer parens, rewrite the sub-expression (without change in meaning) so that the minus sign cannot be mistaken for subtraction: ( (UINT64)(- (MIN_INT64 + 1)) ) The resultant macro definition matches the following expressions in SafeInt64Mult(): > // > // Avoid negating the most negative number. > // > UnsignedMultiplicand = ((UINT64)(- (Multiplicand + 1))) + 1; and > // > // Avoid negating the most negative number. > // > UnsignedMultiplier = ((UINT64)(- (Multiplier + 1))) + 1; Cc: Bret Barkelew <Bret.Barkelew@microsoft.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Sean Brogan <sean.brogan@microsoft.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Tested-by: Michael D Kinney <michael.d.kinney@intel.com>
2018-02-15 17:09:43 +01:00
#define MIN_INT64_MAGNITUDE (((UINT64)(- (MIN_INT64 + 1))) + 1)
MdePkg/BaseSafeIntLib: Add SafeIntLib class and instance https://bugzilla.tianocore.org/show_bug.cgi?id=798 SafeIntLib provides helper functions to prevent integer overflow during type conversion, addition, subtraction, and multiplication. Conversion Functions ==================== * Converting from a signed type to an unsigned type of the same size, or vice-versa. * Converting to a smaller type that could possibly overflow. * Converting from a signed type to a larger unsigned type. Unsigned Addition, Subtraction, Multiplication =============================================== * Unsigned integer math functions protect from overflow and underflow (in case of subtraction). Signed Addition, Subtraction, Multiplication ============================================ * Strongly consider using unsigned numbers. * Signed numbers are often used where unsigned numbers should be used. For example file sizes and array indices should always be unsigned. Subtracting a larger positive signed number from a smaller positive signed number with SafeInt32Sub() will succeed, producing a negative number, that then must not be used as an array index (but can occasionally be used as a pointer index.) Similarly for adding a larger magnitude negative number to a smaller magnitude positive number. * SafeIntLib does not protect you from such errors. It tells you if your integer operations overflowed, not if you are doing the right thing with your non-overflowed integers. * Likewise you can overflow a buffer with a non-overflowed unsigned index. Based on content from the following branch/commits: https://github.com/Microsoft/MS_UEFI/tree/share/MsCapsuleSupport https://github.com/Microsoft/MS_UEFI/commit/21ef3a321c907b40fa93797619c9f6c686dd92e0 https://github.com/Microsoft/MS_UEFI/commit/ca516b1a61315c2d823f453e12d2135098f53d61 https://github.com/Microsoft/MS_UEFI/commit/33bab4031a417d7d5a7d356c15a14c2e60302b2d Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Liming Gao <liming.gao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com> Reviewed-by: Liming Gao <liming.gao@intel.com>
2017-04-25 01:37:20 +02:00
//
// Conversion functions
//
// There are three reasons for having conversion functions:
//
// 1. We are converting from a signed type to an unsigned type of the same
// size, or vice-versa.
//
// 2. We are converting to a smaller type, and we could therefore possibly
// overflow.
//
// 3. We are converting to a bigger type, and we are signed and the type we are
// converting to is unsigned.
//
/**
INT8 -> UINT8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt8ToUint8 (
IN INT8 Operand,
OUT UINT8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand >= 0) {
*Result = (UINT8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT8 -> CHAR8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt8ToChar8 (
IN INT8 Operand,
OUT CHAR8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand >= 0) {
*Result = (CHAR8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = CHAR8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT8 -> UINT16 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt8ToUint16 (
IN INT8 Operand,
OUT UINT16 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand >= 0) {
*Result = (UINT16)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT16_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT8 -> UINT32 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt8ToUint32 (
IN INT8 Operand,
OUT UINT32 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand >= 0) {
*Result = (UINT32)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT32_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT8 -> UINTN conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt8ToUintn (
IN INT8 Operand,
OUT UINTN *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand >= 0) {
*Result = (UINTN)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINTN_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT8 -> UINT64 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt8ToUint64 (
IN INT8 Operand,
OUT UINT64 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand >= 0) {
*Result = (UINT64)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT64_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT8 -> INT8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint8ToInt8 (
IN UINT8 Operand,
OUT INT8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_INT8) {
*Result = (INT8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = INT8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT8 -> CHAR8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint8ToChar8 (
IN UINT8 Operand,
OUT CHAR8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_INT8) {
*Result = (CHAR8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = CHAR8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT16 -> INT8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt16ToInt8 (
IN INT16 Operand,
OUT INT8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if ((Operand >= MIN_INT8) && (Operand <= MAX_INT8)) {
*Result = (INT8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = INT8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT16 -> CHAR8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt16ToChar8 (
IN INT16 Operand,
OUT CHAR8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if ((Operand >= 0) && (Operand <= MAX_INT8)) {
*Result = (CHAR8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = CHAR8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT16 -> UINT8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt16ToUint8 (
IN INT16 Operand,
OUT UINT8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if ((Operand >= 0) && (Operand <= MAX_UINT8)) {
*Result = (UINT8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT16 -> UINT16 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt16ToUint16 (
IN INT16 Operand,
OUT UINT16 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand >= 0) {
*Result = (UINT16)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT16_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT16 -> UINT32 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt16ToUint32 (
IN INT16 Operand,
OUT UINT32 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand >= 0) {
*Result = (UINT32)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT32_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT16 -> UINTN conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt16ToUintn (
IN INT16 Operand,
OUT UINTN *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand >= 0) {
*Result = (UINTN)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINTN_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT16 -> UINT64 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt16ToUint64 (
IN INT16 Operand,
OUT UINT64 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand >= 0) {
*Result = (UINT64)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT64_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT16 -> INT8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint16ToInt8 (
IN UINT16 Operand,
OUT INT8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_INT8) {
*Result = (INT8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = INT8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT16 -> CHAR8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint16ToChar8 (
IN UINT16 Operand,
OUT CHAR8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_INT8) {
*Result = (INT8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = CHAR8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT16 -> UINT8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint16ToUint8 (
IN UINT16 Operand,
OUT UINT8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_UINT8) {
*Result = (UINT8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT16 -> INT16 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint16ToInt16 (
IN UINT16 Operand,
OUT INT16 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_INT16) {
*Result = (INT16)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = INT16_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT32 -> INT8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt32ToInt8 (
IN INT32 Operand,
OUT INT8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if ((Operand >= MIN_INT8) && (Operand <= MAX_INT8)) {
*Result = (INT8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = INT8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT32 -> CHAR8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt32ToChar8 (
IN INT32 Operand,
OUT CHAR8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if ((Operand >= 0) && (Operand <= MAX_INT8)) {
*Result = (CHAR8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = CHAR8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT32 -> UINT8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt32ToUint8 (
IN INT32 Operand,
OUT UINT8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if ((Operand >= 0) && (Operand <= MAX_UINT8)) {
*Result = (UINT8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT32 -> INT16 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt32ToInt16 (
IN INT32 Operand,
OUT INT16 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if ((Operand >= MIN_INT16) && (Operand <= MAX_INT16)) {
*Result = (INT16)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = INT16_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT32 -> UINT16 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt32ToUint16 (
IN INT32 Operand,
OUT UINT16 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if ((Operand >= 0) && (Operand <= MAX_UINT16)) {
*Result = (UINT16)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT16_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT32 -> UINT32 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt32ToUint32 (
IN INT32 Operand,
OUT UINT32 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand >= 0) {
*Result = (UINT32)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT32_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT32 -> UINT64 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt32ToUint64 (
IN INT32 Operand,
OUT UINT64 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand >= 0) {
*Result = (UINT64)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT64_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT32 -> INT8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint32ToInt8 (
IN UINT32 Operand,
OUT INT8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_INT8) {
*Result = (INT8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = INT8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT32 -> CHAR8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint32ToChar8 (
IN UINT32 Operand,
OUT CHAR8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_INT8) {
*Result = (INT8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = CHAR8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT32 -> UINT8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint32ToUint8 (
IN UINT32 Operand,
OUT UINT8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_UINT8) {
*Result = (UINT8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT32 -> INT16 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint32ToInt16 (
IN UINT32 Operand,
OUT INT16 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_INT16) {
*Result = (INT16)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = INT16_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT32 -> UINT16 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint32ToUint16 (
IN UINT32 Operand,
OUT UINT16 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_UINT16) {
*Result = (UINT16)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT16_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT32 -> INT32 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint32ToInt32 (
IN UINT32 Operand,
OUT INT32 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_INT32) {
*Result = (INT32)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = INT32_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INTN -> INT8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeIntnToInt8 (
IN INTN Operand,
OUT INT8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if ((Operand >= MIN_INT8) && (Operand <= MAX_INT8)) {
*Result = (INT8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = INT8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INTN -> CHAR8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeIntnToChar8 (
IN INTN Operand,
OUT CHAR8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if ((Operand >= 0) && (Operand <= MAX_INT8)) {
*Result = (CHAR8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = CHAR8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INTN -> UINT8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeIntnToUint8 (
IN INTN Operand,
OUT UINT8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if ((Operand >= 0) && (Operand <= MAX_UINT8)) {
*Result = (UINT8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INTN -> INT16 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeIntnToInt16 (
IN INTN Operand,
OUT INT16 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if ((Operand >= MIN_INT16) && (Operand <= MAX_INT16)) {
*Result = (INT16)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = INT16_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INTN -> UINT16 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeIntnToUint16 (
IN INTN Operand,
OUT UINT16 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if ((Operand >= 0) && (Operand <= MAX_UINT16)) {
*Result = (UINT16)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT16_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INTN -> UINTN conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeIntnToUintn (
IN INTN Operand,
OUT UINTN *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand >= 0) {
*Result = (UINTN)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINTN_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INTN -> UINT64 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeIntnToUint64 (
IN INTN Operand,
OUT UINT64 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand >= 0) {
*Result = (UINT64)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT64_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINTN -> INT8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUintnToInt8 (
IN UINTN Operand,
OUT INT8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_INT8) {
*Result = (INT8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = INT8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINTN -> CHAR8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUintnToChar8 (
IN UINTN Operand,
OUT CHAR8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_INT8) {
*Result = (INT8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = CHAR8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINTN -> UINT8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUintnToUint8 (
IN UINTN Operand,
OUT UINT8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_UINT8) {
*Result = (UINT8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINTN -> INT16 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUintnToInt16 (
IN UINTN Operand,
OUT INT16 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_INT16) {
*Result = (INT16)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = INT16_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINTN -> UINT16 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUintnToUint16 (
IN UINTN Operand,
OUT UINT16 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_UINT16) {
*Result = (UINT16)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT16_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINTN -> INT32 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUintnToInt32 (
IN UINTN Operand,
OUT INT32 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_INT32) {
*Result = (INT32)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = INT32_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINTN -> INTN conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUintnToIntn (
IN UINTN Operand,
OUT INTN *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_INTN) {
*Result = (INTN)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = INTN_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT64 -> INT8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt64ToInt8 (
IN INT64 Operand,
OUT INT8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if ((Operand >= MIN_INT8) && (Operand <= MAX_INT8)) {
*Result = (INT8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = INT8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT64 -> CHAR8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt64ToChar8 (
IN INT64 Operand,
OUT CHAR8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if ((Operand >= 0) && (Operand <= MAX_INT8)) {
*Result = (CHAR8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = CHAR8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT64 -> UINT8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt64ToUint8 (
IN INT64 Operand,
OUT UINT8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if ((Operand >= 0) && (Operand <= MAX_UINT8)) {
*Result = (UINT8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT64 -> INT16 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt64ToInt16 (
IN INT64 Operand,
OUT INT16 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if ((Operand >= MIN_INT16) && (Operand <= MAX_INT16)) {
*Result = (INT16)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = INT16_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT64 -> UINT16 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt64ToUint16 (
IN INT64 Operand,
OUT UINT16 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if ((Operand >= 0) && (Operand <= MAX_UINT16)) {
*Result = (UINT16)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT16_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT64 -> INT32 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt64ToInt32 (
IN INT64 Operand,
OUT INT32 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if ((Operand >= MIN_INT32) && (Operand <= MAX_INT32)) {
*Result = (INT32)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = INT32_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT64 -> UINT32 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt64ToUint32 (
IN INT64 Operand,
OUT UINT32 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if ((Operand >= 0) && (Operand <= MAX_UINT32)) {
*Result = (UINT32)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT32_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
INT64 -> UINT64 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt64ToUint64 (
IN INT64 Operand,
OUT UINT64 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand >= 0) {
*Result = (UINT64)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT64_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT64 -> INT8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint64ToInt8 (
IN UINT64 Operand,
OUT INT8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_INT8) {
*Result = (INT8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = INT8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT64 -> CHAR8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint64ToChar8 (
IN UINT64 Operand,
OUT CHAR8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_INT8) {
*Result = (INT8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = CHAR8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT64 -> UINT8 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint64ToUint8 (
IN UINT64 Operand,
OUT UINT8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_UINT8) {
*Result = (UINT8)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT64 -> INT16 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint64ToInt16 (
IN UINT64 Operand,
OUT INT16 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_INT16) {
*Result = (INT16)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = INT16_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT64 -> UINT16 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint64ToUint16 (
IN UINT64 Operand,
OUT UINT16 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_UINT16) {
*Result = (UINT16)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT16_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT64 -> INT32 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint64ToInt32 (
IN UINT64 Operand,
OUT INT32 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_INT32) {
*Result = (INT32)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = INT32_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT64 -> UINT32 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint64ToUint32 (
IN UINT64 Operand,
OUT UINT32 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_UINT32) {
*Result = (UINT32)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = UINT32_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT64 -> INTN conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to INTN_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint64ToIntn (
IN UINT64 Operand,
OUT INTN *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_INTN) {
*Result = (INTN)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = INTN_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT64 -> INT64 conversion
Converts the value specified by Operand to a value specified by Result type
and stores the converted value into the caller allocated output buffer
specified by Result. The caller must pass in a Result buffer that is at
least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the conversion results in an overflow or an underflow condition, then
Result is set to INT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Operand Operand to be converted to new type
@param[out] Result Pointer to the result of conversion
@retval RETURN_SUCCESS Successful conversion
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint64ToInt64 (
IN UINT64 Operand,
OUT INT64 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Operand <= MAX_INT64) {
*Result = (INT64)Operand;
Status = RETURN_SUCCESS;
} else {
*Result = INT64_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
//
// Addition functions
//
/**
UINT8 addition
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Augend A number to which addend will be added
@param[in] Addend A number to be added to another
@param[out] Result Pointer to the result of addition
@retval RETURN_SUCCESS Successful addition
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint8Add (
IN UINT8 Augend,
IN UINT8 Addend,
OUT UINT8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (((UINT8)(Augend + Addend)) >= Augend) {
*Result = (UINT8)(Augend + Addend);
Status = RETURN_SUCCESS;
} else {
*Result = UINT8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT16 addition
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Augend A number to which addend will be added
@param[in] Addend A number to be added to another
@param[out] Result Pointer to the result of addition
@retval RETURN_SUCCESS Successful addition
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint16Add (
IN UINT16 Augend,
IN UINT16 Addend,
OUT UINT16 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (((UINT16)(Augend + Addend)) >= Augend) {
*Result = (UINT16)(Augend + Addend);
Status = RETURN_SUCCESS;
} else {
*Result = UINT16_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT32 addition
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Augend A number to which addend will be added
@param[in] Addend A number to be added to another
@param[out] Result Pointer to the result of addition
@retval RETURN_SUCCESS Successful addition
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint32Add (
IN UINT32 Augend,
IN UINT32 Addend,
OUT UINT32 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if ((Augend + Addend) >= Augend) {
*Result = (Augend + Addend);
Status = RETURN_SUCCESS;
} else {
*Result = UINT32_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT64 addition
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Augend A number to which addend will be added
@param[in] Addend A number to be added to another
@param[out] Result Pointer to the result of addition
@retval RETURN_SUCCESS Successful addition
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint64Add (
IN UINT64 Augend,
IN UINT64 Addend,
OUT UINT64 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if ((Augend + Addend) >= Augend) {
*Result = (Augend + Addend);
Status = RETURN_SUCCESS;
} else {
*Result = UINT64_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
//
// Subtraction functions
//
/**
UINT8 subtraction
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Minuend A number from which another is to be subtracted.
@param[in] Subtrahend A number to be subtracted from another
@param[out] Result Pointer to the result of subtraction
@retval RETURN_SUCCESS Successful subtraction
@retval RETURN_BUFFER_TOO_SMALL Underflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint8Sub (
IN UINT8 Minuend,
IN UINT8 Subtrahend,
OUT UINT8 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Minuend >= Subtrahend) {
*Result = (UINT8)(Minuend - Subtrahend);
Status = RETURN_SUCCESS;
} else {
*Result = UINT8_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT16 subtraction
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Minuend A number from which another is to be subtracted.
@param[in] Subtrahend A number to be subtracted from another
@param[out] Result Pointer to the result of subtraction
@retval RETURN_SUCCESS Successful subtraction
@retval RETURN_BUFFER_TOO_SMALL Underflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint16Sub (
IN UINT16 Minuend,
IN UINT16 Subtrahend,
OUT UINT16 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Minuend >= Subtrahend) {
*Result = (UINT16)(Minuend - Subtrahend);
Status = RETURN_SUCCESS;
} else {
*Result = UINT16_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT32 subtraction
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Minuend A number from which another is to be subtracted.
@param[in] Subtrahend A number to be subtracted from another
@param[out] Result Pointer to the result of subtraction
@retval RETURN_SUCCESS Successful subtraction
@retval RETURN_BUFFER_TOO_SMALL Underflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint32Sub (
IN UINT32 Minuend,
IN UINT32 Subtrahend,
OUT UINT32 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Minuend >= Subtrahend) {
*Result = (Minuend - Subtrahend);
Status = RETURN_SUCCESS;
} else {
*Result = UINT32_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
/**
UINT64 subtraction
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Minuend A number from which another is to be subtracted.
@param[in] Subtrahend A number to be subtracted from another
@param[out] Result Pointer to the result of subtraction
@retval RETURN_SUCCESS Successful subtraction
@retval RETURN_BUFFER_TOO_SMALL Underflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint64Sub (
IN UINT64 Minuend,
IN UINT64 Subtrahend,
OUT UINT64 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
if (Minuend >= Subtrahend) {
*Result = (Minuend - Subtrahend);
Status = RETURN_SUCCESS;
} else {
*Result = UINT64_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
}
return Status;
}
//
// Multiplication functions
//
/**
UINT8 multiplication
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to UINT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Multiplicand A number that is to be multiplied by another
@param[in] Multiplier A number by which the multiplicand is to be multiplied
@param[out] Result Pointer to the result of multiplication
@retval RETURN_SUCCESS Successful multiplication
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint8Mult (
IN UINT8 Multiplicand,
IN UINT8 Multiplier,
OUT UINT8 *Result
)
{
UINT32 IntermediateResult;
IntermediateResult = ((UINT32)Multiplicand) *((UINT32)Multiplier);
return SafeUint32ToUint8 (IntermediateResult, Result);
}
/**
UINT16 multiplication
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to UINT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Multiplicand A number that is to be multiplied by another
@param[in] Multiplier A number by which the multiplicand is to be multiplied
@param[out] Result Pointer to the result of multiplication
@retval RETURN_SUCCESS Successful multiplication
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint16Mult (
IN UINT16 Multiplicand,
IN UINT16 Multiplier,
OUT UINT16 *Result
)
{
UINT32 IntermediateResult;
IntermediateResult = ((UINT32)Multiplicand) *((UINT32)Multiplier);
return SafeUint32ToUint16 (IntermediateResult, Result);
}
/**
UINT32 multiplication
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to UINT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Multiplicand A number that is to be multiplied by another
@param[in] Multiplier A number by which the multiplicand is to be multiplied
@param[out] Result Pointer to the result of multiplication
@retval RETURN_SUCCESS Successful multiplication
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint32Mult (
IN UINT32 Multiplicand,
IN UINT32 Multiplier,
OUT UINT32 *Result
)
{
UINT64 IntermediateResult;
IntermediateResult = ((UINT64) Multiplicand) *((UINT64) Multiplier);
return SafeUint64ToUint32 (IntermediateResult, Result);
}
/**
UINT64 multiplication
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to UINT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Multiplicand A number that is to be multiplied by another
@param[in] Multiplier A number by which the multiplicand is to be multiplied
@param[out] Result Pointer to the result of multiplication
@retval RETURN_SUCCESS Successful multiplication
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeUint64Mult (
IN UINT64 Multiplicand,
IN UINT64 Multiplier,
OUT UINT64 *Result
)
{
RETURN_STATUS Status;
UINT32 DwordA;
UINT32 DwordB;
UINT32 DwordC;
UINT32 DwordD;
UINT64 ProductAD;
UINT64 ProductBC;
UINT64 ProductBD;
UINT64 UnsignedResult;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
ProductAD = 0;
ProductBC = 0;
ProductBD = 0;
UnsignedResult = 0;
Status = RETURN_BUFFER_TOO_SMALL;
//
// 64x64 into 128 is like 32.32 x 32.32.
//
// a.b * c.d = a*(c.d) + .b*(c.d) = a*c + a*.d + .b*c + .b*.d
// back in non-decimal notation where A=a*2^32 and C=c*2^32:
// A*C + A*d + b*C + b*d
// So there are four components to add together.
// result = (a*c*2^64) + (a*d*2^32) + (b*c*2^32) + (b*d)
//
// a * c must be 0 or there would be bits in the high 64-bits
// a * d must be less than 2^32 or there would be bits in the high 64-bits
// b * c must be less than 2^32 or there would be bits in the high 64-bits
// then there must be no overflow of the resulting values summed up.
//
MdePkg/BaseSafeIntLib: Fix VS2015 IA32 NOOPT build failure v2: Add [LibraryClasses] section in INF file and refine coding style. There are VS2015 NOOPT IA32 build failure like below in BaseSafeIntLib. XXX.lib(XXX.obj): error LNK2001: unresolved external symbol __allmul XXX.lib(XXX.obj): error LNK2001: unresolved external symbol __allshl XXX.lib(XXX.obj): error LNK2001: unresolved external symbol __aullshr This patch replaces direct shift/multiplication of 64-bit integer with related function call to fix these failure. Cc: Laszlo Ersek <lersek@redhat.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Michael Kinney <michael.d.kinney@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Dandan Bi <dandan.bi@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2018-02-26 04:55:15 +01:00
DwordA = (UINT32)RShiftU64 (Multiplicand, 32);
DwordC = (UINT32)RShiftU64 (Multiplier, 32);
MdePkg/BaseSafeIntLib: Add SafeIntLib class and instance https://bugzilla.tianocore.org/show_bug.cgi?id=798 SafeIntLib provides helper functions to prevent integer overflow during type conversion, addition, subtraction, and multiplication. Conversion Functions ==================== * Converting from a signed type to an unsigned type of the same size, or vice-versa. * Converting to a smaller type that could possibly overflow. * Converting from a signed type to a larger unsigned type. Unsigned Addition, Subtraction, Multiplication =============================================== * Unsigned integer math functions protect from overflow and underflow (in case of subtraction). Signed Addition, Subtraction, Multiplication ============================================ * Strongly consider using unsigned numbers. * Signed numbers are often used where unsigned numbers should be used. For example file sizes and array indices should always be unsigned. Subtracting a larger positive signed number from a smaller positive signed number with SafeInt32Sub() will succeed, producing a negative number, that then must not be used as an array index (but can occasionally be used as a pointer index.) Similarly for adding a larger magnitude negative number to a smaller magnitude positive number. * SafeIntLib does not protect you from such errors. It tells you if your integer operations overflowed, not if you are doing the right thing with your non-overflowed integers. * Likewise you can overflow a buffer with a non-overflowed unsigned index. Based on content from the following branch/commits: https://github.com/Microsoft/MS_UEFI/tree/share/MsCapsuleSupport https://github.com/Microsoft/MS_UEFI/commit/21ef3a321c907b40fa93797619c9f6c686dd92e0 https://github.com/Microsoft/MS_UEFI/commit/ca516b1a61315c2d823f453e12d2135098f53d61 https://github.com/Microsoft/MS_UEFI/commit/33bab4031a417d7d5a7d356c15a14c2e60302b2d Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Liming Gao <liming.gao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com> Reviewed-by: Liming Gao <liming.gao@intel.com>
2017-04-25 01:37:20 +02:00
//
// common case -- if high dwords are both zero, no chance for overflow
//
if ((DwordA == 0) && (DwordC == 0)) {
DwordB = (UINT32)Multiplicand;
DwordD = (UINT32)Multiplier;
*Result = (((UINT64)DwordB) *(UINT64)DwordD);
Status = RETURN_SUCCESS;
} else {
//
// a * c must be 0 or there would be bits set in the high 64-bits
//
if ((DwordA == 0) ||
(DwordC == 0)) {
DwordD = (UINT32)Multiplier;
//
// a * d must be less than 2^32 or there would be bits set in the high 64-bits
//
ProductAD = (((UINT64)DwordA) *(UINT64)DwordD);
if ((ProductAD & 0xffffffff00000000) == 0) {
DwordB = (UINT32)Multiplicand;
//
// b * c must be less than 2^32 or there would be bits set in the high 64-bits
//
ProductBC = (((UINT64)DwordB) *(UINT64)DwordC);
if ((ProductBC & 0xffffffff00000000) == 0) {
//
// now sum them all up checking for overflow.
// shifting is safe because we already checked for overflow above
//
MdePkg/BaseSafeIntLib: Fix VS2015 IA32 NOOPT build failure v2: Add [LibraryClasses] section in INF file and refine coding style. There are VS2015 NOOPT IA32 build failure like below in BaseSafeIntLib. XXX.lib(XXX.obj): error LNK2001: unresolved external symbol __allmul XXX.lib(XXX.obj): error LNK2001: unresolved external symbol __allshl XXX.lib(XXX.obj): error LNK2001: unresolved external symbol __aullshr This patch replaces direct shift/multiplication of 64-bit integer with related function call to fix these failure. Cc: Laszlo Ersek <lersek@redhat.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Michael Kinney <michael.d.kinney@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Dandan Bi <dandan.bi@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2018-02-26 04:55:15 +01:00
if (!RETURN_ERROR (SafeUint64Add (LShiftU64 (ProductBC, 32), LShiftU64 (ProductAD, 32), &UnsignedResult))) {
MdePkg/BaseSafeIntLib: Add SafeIntLib class and instance https://bugzilla.tianocore.org/show_bug.cgi?id=798 SafeIntLib provides helper functions to prevent integer overflow during type conversion, addition, subtraction, and multiplication. Conversion Functions ==================== * Converting from a signed type to an unsigned type of the same size, or vice-versa. * Converting to a smaller type that could possibly overflow. * Converting from a signed type to a larger unsigned type. Unsigned Addition, Subtraction, Multiplication =============================================== * Unsigned integer math functions protect from overflow and underflow (in case of subtraction). Signed Addition, Subtraction, Multiplication ============================================ * Strongly consider using unsigned numbers. * Signed numbers are often used where unsigned numbers should be used. For example file sizes and array indices should always be unsigned. Subtracting a larger positive signed number from a smaller positive signed number with SafeInt32Sub() will succeed, producing a negative number, that then must not be used as an array index (but can occasionally be used as a pointer index.) Similarly for adding a larger magnitude negative number to a smaller magnitude positive number. * SafeIntLib does not protect you from such errors. It tells you if your integer operations overflowed, not if you are doing the right thing with your non-overflowed integers. * Likewise you can overflow a buffer with a non-overflowed unsigned index. Based on content from the following branch/commits: https://github.com/Microsoft/MS_UEFI/tree/share/MsCapsuleSupport https://github.com/Microsoft/MS_UEFI/commit/21ef3a321c907b40fa93797619c9f6c686dd92e0 https://github.com/Microsoft/MS_UEFI/commit/ca516b1a61315c2d823f453e12d2135098f53d61 https://github.com/Microsoft/MS_UEFI/commit/33bab4031a417d7d5a7d356c15a14c2e60302b2d Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Liming Gao <liming.gao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com> Reviewed-by: Liming Gao <liming.gao@intel.com>
2017-04-25 01:37:20 +02:00
//
// b * d
//
ProductBD = (((UINT64)DwordB) *(UINT64)DwordD);
if (!RETURN_ERROR (SafeUint64Add (UnsignedResult, ProductBD, &UnsignedResult))) {
*Result = UnsignedResult;
Status = RETURN_SUCCESS;
}
}
}
}
}
}
if (RETURN_ERROR (Status)) {
*Result = UINT64_ERROR;
}
return Status;
}
//
// Signed operations
//
// Strongly consider using unsigned numbers.
//
// Signed numbers are often used where unsigned numbers should be used.
// For example file sizes and array indices should always be unsigned.
// Subtracting a larger positive signed number from a smaller positive
// signed number with SafeInt32Sub will succeed, producing a negative number,
// that then must not be used as an array index (but can occasionally be
// used as a pointer index.) Similarly for adding a larger magnitude
// negative number to a smaller magnitude positive number.
//
// This library does not protect you from such errors. It tells you if your
// integer operations overflowed, not if you are doing the right thing
// with your non-overflowed integers.
//
// Likewise you can overflow a buffer with a non-overflowed unsigned index.
//
//
// Signed addition functions
//
/**
INT8 Addition
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Augend A number to which addend will be added
@param[in] Addend A number to be added to another
@param[out] Result Pointer to the result of addition
@retval RETURN_SUCCESS Successful addition
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt8Add (
IN INT8 Augend,
IN INT8 Addend,
OUT INT8 *Result
)
{
return SafeInt32ToInt8 (((INT32)Augend) + ((INT32)Addend), Result);
}
/**
CHAR8 Addition
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Augend A number to which addend will be added
@param[in] Addend A number to be added to another
@param[out] Result Pointer to the result of addition
@retval RETURN_SUCCESS Successful addition
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeChar8Add (
IN CHAR8 Augend,
IN CHAR8 Addend,
OUT CHAR8 *Result
)
{
INT32 Augend32;
INT32 Addend32;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
Augend32 = (INT32)Augend;
Addend32 = (INT32)Addend;
if (Augend32 < 0 || Augend32 > MAX_INT8) {
*Result = CHAR8_ERROR;
return RETURN_BUFFER_TOO_SMALL;
}
if (Addend32 < 0 || Addend32 > MAX_INT8) {
*Result = CHAR8_ERROR;
return RETURN_BUFFER_TOO_SMALL;
}
return SafeInt32ToChar8 (Augend32 + Addend32, Result);
}
/**
INT16 Addition
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Augend A number to which addend will be added
@param[in] Addend A number to be added to another
@param[out] Result Pointer to the result of addition
@retval RETURN_SUCCESS Successful addition
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt16Add (
IN INT16 Augend,
IN INT16 Addend,
OUT INT16 *Result
)
{
return SafeInt32ToInt16 (((INT32)Augend) + ((INT32)Addend), Result);
}
/**
INT32 Addition
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Augend A number to which addend will be added
@param[in] Addend A number to be added to another
@param[out] Result Pointer to the result of addition
@retval RETURN_SUCCESS Successful addition
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt32Add (
IN INT32 Augend,
IN INT32 Addend,
OUT INT32 *Result
)
{
return SafeInt64ToInt32 (((INT64)Augend) + ((INT64)Addend), Result);
}
/**
INT64 Addition
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to INT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Augend A number to which addend will be added
@param[in] Addend A number to be added to another
@param[out] Result Pointer to the result of addition
@retval RETURN_SUCCESS Successful addition
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt64Add (
IN INT64 Augend,
IN INT64 Addend,
OUT INT64 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
//
MdePkg/BaseSafeIntLib: fix undefined behavior in SafeInt64Add() The addition in the assignment SignedResult = Augend + Addend; is performed with unchecked INT64 operands. According to ISO C, if the mathematical result of signed integer addition cannot be represented in the result type, the behavior is undefined. (Refer to ISO C99 6.5p5. 6.2.5p9 only exempts unsigned integers, and 6.3.1.3p3 does not apply because it treats the conversion of integers that have been successfully evaluated first.) Replace the after-the-fact result checking with checks on the operands, and only perform the addition if it is safe. Cc: Bret Barkelew <Bret.Barkelew@microsoft.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Sean Brogan <sean.brogan@microsoft.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Tested-by: Michael D Kinney <michael.d.kinney@intel.com>
2018-02-15 14:47:11 +01:00
// * An Addend of zero can never cause underflow or overflow.
//
// * A positive Addend can only cause overflow. The overflow condition is
//
// (Augend + Addend) > MAX_INT64
//
// Subtracting Addend from both sides yields
//
// Augend > (MAX_INT64 - Addend)
//
// This condition can be coded directly in C because the RHS will neither
// underflow nor overflow. That is due to the starting condition:
//
// 0 < Addend <= MAX_INT64
//
// Multiplying all three sides by (-1) yields
//
// 0 > (-Addend) >= (-MAX_INT64)
//
// Adding MAX_INT64 to all three sides yields
//
// MAX_INT64 > (MAX_INT64 - Addend) >= 0
//
// * A negative Addend can only cause underflow. The underflow condition is
//
// (Augend + Addend) < MIN_INT64
//
// Subtracting Addend from both sides yields
//
// Augend < (MIN_INT64 - Addend)
//
// This condition can be coded directly in C because the RHS will neither
// underflow nor overflow. That is due to the starting condition:
//
// MIN_INT64 <= Addend < 0
//
// Multiplying all three sides by (-1) yields
//
// (-MIN_INT64) >= (-Addend) > 0
//
// Adding MIN_INT64 to all three sides yields
//
// 0 >= (MIN_INT64 - Addend) > MIN_INT64
MdePkg/BaseSafeIntLib: Add SafeIntLib class and instance https://bugzilla.tianocore.org/show_bug.cgi?id=798 SafeIntLib provides helper functions to prevent integer overflow during type conversion, addition, subtraction, and multiplication. Conversion Functions ==================== * Converting from a signed type to an unsigned type of the same size, or vice-versa. * Converting to a smaller type that could possibly overflow. * Converting from a signed type to a larger unsigned type. Unsigned Addition, Subtraction, Multiplication =============================================== * Unsigned integer math functions protect from overflow and underflow (in case of subtraction). Signed Addition, Subtraction, Multiplication ============================================ * Strongly consider using unsigned numbers. * Signed numbers are often used where unsigned numbers should be used. For example file sizes and array indices should always be unsigned. Subtracting a larger positive signed number from a smaller positive signed number with SafeInt32Sub() will succeed, producing a negative number, that then must not be used as an array index (but can occasionally be used as a pointer index.) Similarly for adding a larger magnitude negative number to a smaller magnitude positive number. * SafeIntLib does not protect you from such errors. It tells you if your integer operations overflowed, not if you are doing the right thing with your non-overflowed integers. * Likewise you can overflow a buffer with a non-overflowed unsigned index. Based on content from the following branch/commits: https://github.com/Microsoft/MS_UEFI/tree/share/MsCapsuleSupport https://github.com/Microsoft/MS_UEFI/commit/21ef3a321c907b40fa93797619c9f6c686dd92e0 https://github.com/Microsoft/MS_UEFI/commit/ca516b1a61315c2d823f453e12d2135098f53d61 https://github.com/Microsoft/MS_UEFI/commit/33bab4031a417d7d5a7d356c15a14c2e60302b2d Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Liming Gao <liming.gao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com> Reviewed-by: Liming Gao <liming.gao@intel.com>
2017-04-25 01:37:20 +02:00
//
MdePkg/BaseSafeIntLib: fix undefined behavior in SafeInt64Add() The addition in the assignment SignedResult = Augend + Addend; is performed with unchecked INT64 operands. According to ISO C, if the mathematical result of signed integer addition cannot be represented in the result type, the behavior is undefined. (Refer to ISO C99 6.5p5. 6.2.5p9 only exempts unsigned integers, and 6.3.1.3p3 does not apply because it treats the conversion of integers that have been successfully evaluated first.) Replace the after-the-fact result checking with checks on the operands, and only perform the addition if it is safe. Cc: Bret Barkelew <Bret.Barkelew@microsoft.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Sean Brogan <sean.brogan@microsoft.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Tested-by: Michael D Kinney <michael.d.kinney@intel.com>
2018-02-15 14:47:11 +01:00
if (((Addend > 0) && (Augend > (MAX_INT64 - Addend))) ||
((Addend < 0) && (Augend < (MIN_INT64 - Addend)))) {
MdePkg/BaseSafeIntLib: Add SafeIntLib class and instance https://bugzilla.tianocore.org/show_bug.cgi?id=798 SafeIntLib provides helper functions to prevent integer overflow during type conversion, addition, subtraction, and multiplication. Conversion Functions ==================== * Converting from a signed type to an unsigned type of the same size, or vice-versa. * Converting to a smaller type that could possibly overflow. * Converting from a signed type to a larger unsigned type. Unsigned Addition, Subtraction, Multiplication =============================================== * Unsigned integer math functions protect from overflow and underflow (in case of subtraction). Signed Addition, Subtraction, Multiplication ============================================ * Strongly consider using unsigned numbers. * Signed numbers are often used where unsigned numbers should be used. For example file sizes and array indices should always be unsigned. Subtracting a larger positive signed number from a smaller positive signed number with SafeInt32Sub() will succeed, producing a negative number, that then must not be used as an array index (but can occasionally be used as a pointer index.) Similarly for adding a larger magnitude negative number to a smaller magnitude positive number. * SafeIntLib does not protect you from such errors. It tells you if your integer operations overflowed, not if you are doing the right thing with your non-overflowed integers. * Likewise you can overflow a buffer with a non-overflowed unsigned index. Based on content from the following branch/commits: https://github.com/Microsoft/MS_UEFI/tree/share/MsCapsuleSupport https://github.com/Microsoft/MS_UEFI/commit/21ef3a321c907b40fa93797619c9f6c686dd92e0 https://github.com/Microsoft/MS_UEFI/commit/ca516b1a61315c2d823f453e12d2135098f53d61 https://github.com/Microsoft/MS_UEFI/commit/33bab4031a417d7d5a7d356c15a14c2e60302b2d Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Liming Gao <liming.gao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com> Reviewed-by: Liming Gao <liming.gao@intel.com>
2017-04-25 01:37:20 +02:00
*Result = INT64_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
} else {
MdePkg/BaseSafeIntLib: fix undefined behavior in SafeInt64Add() The addition in the assignment SignedResult = Augend + Addend; is performed with unchecked INT64 operands. According to ISO C, if the mathematical result of signed integer addition cannot be represented in the result type, the behavior is undefined. (Refer to ISO C99 6.5p5. 6.2.5p9 only exempts unsigned integers, and 6.3.1.3p3 does not apply because it treats the conversion of integers that have been successfully evaluated first.) Replace the after-the-fact result checking with checks on the operands, and only perform the addition if it is safe. Cc: Bret Barkelew <Bret.Barkelew@microsoft.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Sean Brogan <sean.brogan@microsoft.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Tested-by: Michael D Kinney <michael.d.kinney@intel.com>
2018-02-15 14:47:11 +01:00
*Result = Augend + Addend;
MdePkg/BaseSafeIntLib: Add SafeIntLib class and instance https://bugzilla.tianocore.org/show_bug.cgi?id=798 SafeIntLib provides helper functions to prevent integer overflow during type conversion, addition, subtraction, and multiplication. Conversion Functions ==================== * Converting from a signed type to an unsigned type of the same size, or vice-versa. * Converting to a smaller type that could possibly overflow. * Converting from a signed type to a larger unsigned type. Unsigned Addition, Subtraction, Multiplication =============================================== * Unsigned integer math functions protect from overflow and underflow (in case of subtraction). Signed Addition, Subtraction, Multiplication ============================================ * Strongly consider using unsigned numbers. * Signed numbers are often used where unsigned numbers should be used. For example file sizes and array indices should always be unsigned. Subtracting a larger positive signed number from a smaller positive signed number with SafeInt32Sub() will succeed, producing a negative number, that then must not be used as an array index (but can occasionally be used as a pointer index.) Similarly for adding a larger magnitude negative number to a smaller magnitude positive number. * SafeIntLib does not protect you from such errors. It tells you if your integer operations overflowed, not if you are doing the right thing with your non-overflowed integers. * Likewise you can overflow a buffer with a non-overflowed unsigned index. Based on content from the following branch/commits: https://github.com/Microsoft/MS_UEFI/tree/share/MsCapsuleSupport https://github.com/Microsoft/MS_UEFI/commit/21ef3a321c907b40fa93797619c9f6c686dd92e0 https://github.com/Microsoft/MS_UEFI/commit/ca516b1a61315c2d823f453e12d2135098f53d61 https://github.com/Microsoft/MS_UEFI/commit/33bab4031a417d7d5a7d356c15a14c2e60302b2d Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Liming Gao <liming.gao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com> Reviewed-by: Liming Gao <liming.gao@intel.com>
2017-04-25 01:37:20 +02:00
Status = RETURN_SUCCESS;
}
return Status;
}
//
// Signed subtraction functions
//
/**
INT8 Subtraction
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Minuend A number from which another is to be subtracted.
@param[in] Subtrahend A number to be subtracted from another
@param[out] Result Pointer to the result of subtraction
@retval RETURN_SUCCESS Successful subtraction
@retval RETURN_BUFFER_TOO_SMALL Underflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt8Sub (
IN INT8 Minuend,
IN INT8 Subtrahend,
OUT INT8 *Result
)
{
return SafeInt32ToInt8 (((INT32)Minuend) - ((INT32)Subtrahend), Result);
}
/**
CHAR8 Subtraction
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Minuend A number from which another is to be subtracted.
@param[in] Subtrahend A number to be subtracted from another
@param[out] Result Pointer to the result of subtraction
@retval RETURN_SUCCESS Successful subtraction
@retval RETURN_BUFFER_TOO_SMALL Underflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeChar8Sub (
IN CHAR8 Minuend,
IN CHAR8 Subtrahend,
OUT CHAR8 *Result
)
{
INT32 Minuend32;
INT32 Subtrahend32;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
Minuend32 = (INT32)Minuend;
Subtrahend32 = (INT32)Subtrahend;
if (Minuend32 < 0 || Minuend32 > MAX_INT8) {
*Result = CHAR8_ERROR;
return RETURN_BUFFER_TOO_SMALL;
}
if (Subtrahend32 < 0 || Subtrahend32 > MAX_INT8) {
*Result = CHAR8_ERROR;
return RETURN_BUFFER_TOO_SMALL;
}
return SafeInt32ToChar8 (Minuend32 - Subtrahend32, Result);
}
/**
INT16 Subtraction
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Minuend A number from which another is to be subtracted.
@param[in] Subtrahend A number to be subtracted from another
@param[out] Result Pointer to the result of subtraction
@retval RETURN_SUCCESS Successful subtraction
@retval RETURN_BUFFER_TOO_SMALL Underflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt16Sub (
IN INT16 Minuend,
IN INT16 Subtrahend,
OUT INT16 *Result
)
{
return SafeInt32ToInt16 (((INT32)Minuend) - ((INT32)Subtrahend), Result);
}
/**
INT32 Subtraction
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Minuend A number from which another is to be subtracted.
@param[in] Subtrahend A number to be subtracted from another
@param[out] Result Pointer to the result of subtraction
@retval RETURN_SUCCESS Successful subtraction
@retval RETURN_BUFFER_TOO_SMALL Underflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt32Sub (
IN INT32 Minuend,
IN INT32 Subtrahend,
OUT INT32 *Result
)
{
return SafeInt64ToInt32 (((INT64)Minuend) - ((INT64)Subtrahend), Result);
}
/**
INT64 Subtraction
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to INT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Minuend A number from which another is to be subtracted.
@param[in] Subtrahend A number to be subtracted from another
@param[out] Result Pointer to the result of subtraction
@retval RETURN_SUCCESS Successful subtraction
@retval RETURN_BUFFER_TOO_SMALL Underflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt64Sub (
IN INT64 Minuend,
IN INT64 Subtrahend,
OUT INT64 *Result
)
{
RETURN_STATUS Status;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
//
MdePkg/BaseSafeIntLib: fix undefined behavior in SafeInt64Sub() The subtraction in the assignment SignedResult = Minuend - Subtrahend; is performed with unchecked INT64 operands. According to ISO C, if the mathematical result of signed integer subtraction cannot be represented in the result type, the behavior is undefined. (Refer to ISO C99 6.5p5. 6.2.5p9 only exempts unsigned integers, and 6.3.1.3p3 does not apply because it treats the conversion of integers that have been successfully evaluated first.) Replace the after-the-fact result checking with checks on the operands, and only perform the subtraction if it is safe. Cc: Bret Barkelew <Bret.Barkelew@microsoft.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Sean Brogan <sean.brogan@microsoft.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Tested-by: Michael D Kinney <michael.d.kinney@intel.com>
2018-02-15 14:47:11 +01:00
// * A Subtrahend of zero can never cause underflow or overflow.
//
// * A positive Subtrahend can only cause underflow. The underflow condition
// is:
//
// (Minuend - Subtrahend) < MIN_INT64
//
// Adding Subtrahend to both sides yields
//
// Minuend < (MIN_INT64 + Subtrahend)
//
// This condition can be coded directly in C because the RHS will neither
// underflow nor overflow. That is due to the starting condition:
//
// 0 < Subtrahend <= MAX_INT64
//
// Adding MIN_INT64 to all three sides yields
//
// MIN_INT64 < (MIN_INT64 + Subtrahend) <= (MIN_INT64 + MAX_INT64) = -1
MdePkg/BaseSafeIntLib: Add SafeIntLib class and instance https://bugzilla.tianocore.org/show_bug.cgi?id=798 SafeIntLib provides helper functions to prevent integer overflow during type conversion, addition, subtraction, and multiplication. Conversion Functions ==================== * Converting from a signed type to an unsigned type of the same size, or vice-versa. * Converting to a smaller type that could possibly overflow. * Converting from a signed type to a larger unsigned type. Unsigned Addition, Subtraction, Multiplication =============================================== * Unsigned integer math functions protect from overflow and underflow (in case of subtraction). Signed Addition, Subtraction, Multiplication ============================================ * Strongly consider using unsigned numbers. * Signed numbers are often used where unsigned numbers should be used. For example file sizes and array indices should always be unsigned. Subtracting a larger positive signed number from a smaller positive signed number with SafeInt32Sub() will succeed, producing a negative number, that then must not be used as an array index (but can occasionally be used as a pointer index.) Similarly for adding a larger magnitude negative number to a smaller magnitude positive number. * SafeIntLib does not protect you from such errors. It tells you if your integer operations overflowed, not if you are doing the right thing with your non-overflowed integers. * Likewise you can overflow a buffer with a non-overflowed unsigned index. Based on content from the following branch/commits: https://github.com/Microsoft/MS_UEFI/tree/share/MsCapsuleSupport https://github.com/Microsoft/MS_UEFI/commit/21ef3a321c907b40fa93797619c9f6c686dd92e0 https://github.com/Microsoft/MS_UEFI/commit/ca516b1a61315c2d823f453e12d2135098f53d61 https://github.com/Microsoft/MS_UEFI/commit/33bab4031a417d7d5a7d356c15a14c2e60302b2d Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Liming Gao <liming.gao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com> Reviewed-by: Liming Gao <liming.gao@intel.com>
2017-04-25 01:37:20 +02:00
//
MdePkg/BaseSafeIntLib: fix undefined behavior in SafeInt64Sub() The subtraction in the assignment SignedResult = Minuend - Subtrahend; is performed with unchecked INT64 operands. According to ISO C, if the mathematical result of signed integer subtraction cannot be represented in the result type, the behavior is undefined. (Refer to ISO C99 6.5p5. 6.2.5p9 only exempts unsigned integers, and 6.3.1.3p3 does not apply because it treats the conversion of integers that have been successfully evaluated first.) Replace the after-the-fact result checking with checks on the operands, and only perform the subtraction if it is safe. Cc: Bret Barkelew <Bret.Barkelew@microsoft.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Sean Brogan <sean.brogan@microsoft.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Tested-by: Michael D Kinney <michael.d.kinney@intel.com>
2018-02-15 14:47:11 +01:00
// * A negative Subtrahend can only cause overflow. The overflow condition is
//
// (Minuend - Subtrahend) > MAX_INT64
//
// Adding Subtrahend to both sides yields
//
// Minuend > (MAX_INT64 + Subtrahend)
//
// This condition can be coded directly in C because the RHS will neither
// underflow nor overflow. That is due to the starting condition:
//
// MIN_INT64 <= Subtrahend < 0
//
// Adding MAX_INT64 to all three sides yields
//
// -1 = (MAX_INT64 + MIN_INT64) <= (MAX_INT64 + Subtrahend) < MAX_INT64
//
if (((Subtrahend > 0) && (Minuend < (MIN_INT64 + Subtrahend))) ||
((Subtrahend < 0) && (Minuend > (MAX_INT64 + Subtrahend)))) {
MdePkg/BaseSafeIntLib: Add SafeIntLib class and instance https://bugzilla.tianocore.org/show_bug.cgi?id=798 SafeIntLib provides helper functions to prevent integer overflow during type conversion, addition, subtraction, and multiplication. Conversion Functions ==================== * Converting from a signed type to an unsigned type of the same size, or vice-versa. * Converting to a smaller type that could possibly overflow. * Converting from a signed type to a larger unsigned type. Unsigned Addition, Subtraction, Multiplication =============================================== * Unsigned integer math functions protect from overflow and underflow (in case of subtraction). Signed Addition, Subtraction, Multiplication ============================================ * Strongly consider using unsigned numbers. * Signed numbers are often used where unsigned numbers should be used. For example file sizes and array indices should always be unsigned. Subtracting a larger positive signed number from a smaller positive signed number with SafeInt32Sub() will succeed, producing a negative number, that then must not be used as an array index (but can occasionally be used as a pointer index.) Similarly for adding a larger magnitude negative number to a smaller magnitude positive number. * SafeIntLib does not protect you from such errors. It tells you if your integer operations overflowed, not if you are doing the right thing with your non-overflowed integers. * Likewise you can overflow a buffer with a non-overflowed unsigned index. Based on content from the following branch/commits: https://github.com/Microsoft/MS_UEFI/tree/share/MsCapsuleSupport https://github.com/Microsoft/MS_UEFI/commit/21ef3a321c907b40fa93797619c9f6c686dd92e0 https://github.com/Microsoft/MS_UEFI/commit/ca516b1a61315c2d823f453e12d2135098f53d61 https://github.com/Microsoft/MS_UEFI/commit/33bab4031a417d7d5a7d356c15a14c2e60302b2d Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Liming Gao <liming.gao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com> Reviewed-by: Liming Gao <liming.gao@intel.com>
2017-04-25 01:37:20 +02:00
*Result = INT64_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
} else {
MdePkg/BaseSafeIntLib: fix undefined behavior in SafeInt64Sub() The subtraction in the assignment SignedResult = Minuend - Subtrahend; is performed with unchecked INT64 operands. According to ISO C, if the mathematical result of signed integer subtraction cannot be represented in the result type, the behavior is undefined. (Refer to ISO C99 6.5p5. 6.2.5p9 only exempts unsigned integers, and 6.3.1.3p3 does not apply because it treats the conversion of integers that have been successfully evaluated first.) Replace the after-the-fact result checking with checks on the operands, and only perform the subtraction if it is safe. Cc: Bret Barkelew <Bret.Barkelew@microsoft.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Sean Brogan <sean.brogan@microsoft.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Tested-by: Michael D Kinney <michael.d.kinney@intel.com>
2018-02-15 14:47:11 +01:00
*Result = Minuend - Subtrahend;
MdePkg/BaseSafeIntLib: Add SafeIntLib class and instance https://bugzilla.tianocore.org/show_bug.cgi?id=798 SafeIntLib provides helper functions to prevent integer overflow during type conversion, addition, subtraction, and multiplication. Conversion Functions ==================== * Converting from a signed type to an unsigned type of the same size, or vice-versa. * Converting to a smaller type that could possibly overflow. * Converting from a signed type to a larger unsigned type. Unsigned Addition, Subtraction, Multiplication =============================================== * Unsigned integer math functions protect from overflow and underflow (in case of subtraction). Signed Addition, Subtraction, Multiplication ============================================ * Strongly consider using unsigned numbers. * Signed numbers are often used where unsigned numbers should be used. For example file sizes and array indices should always be unsigned. Subtracting a larger positive signed number from a smaller positive signed number with SafeInt32Sub() will succeed, producing a negative number, that then must not be used as an array index (but can occasionally be used as a pointer index.) Similarly for adding a larger magnitude negative number to a smaller magnitude positive number. * SafeIntLib does not protect you from such errors. It tells you if your integer operations overflowed, not if you are doing the right thing with your non-overflowed integers. * Likewise you can overflow a buffer with a non-overflowed unsigned index. Based on content from the following branch/commits: https://github.com/Microsoft/MS_UEFI/tree/share/MsCapsuleSupport https://github.com/Microsoft/MS_UEFI/commit/21ef3a321c907b40fa93797619c9f6c686dd92e0 https://github.com/Microsoft/MS_UEFI/commit/ca516b1a61315c2d823f453e12d2135098f53d61 https://github.com/Microsoft/MS_UEFI/commit/33bab4031a417d7d5a7d356c15a14c2e60302b2d Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Liming Gao <liming.gao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com> Reviewed-by: Liming Gao <liming.gao@intel.com>
2017-04-25 01:37:20 +02:00
Status = RETURN_SUCCESS;
}
return Status;
}
//
// Signed multiplication functions
//
/**
INT8 multiplication
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to INT8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Multiplicand A number that is to be multiplied by another
@param[in] Multiplier A number by which the multiplicand is to be multiplied
@param[out] Result Pointer to the result of multiplication
@retval RETURN_SUCCESS Successful multiplication
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt8Mult (
IN INT8 Multiplicand,
IN INT8 Multiplier,
OUT INT8 *Result
)
{
return SafeInt32ToInt8 (((INT32)Multiplier) *((INT32)Multiplicand), Result);
}
/**
CHAR8 multiplication
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to CHAR8_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Multiplicand A number that is to be multiplied by another
@param[in] Multiplier A number by which the multiplicand is to be multiplied
@param[out] Result Pointer to the result of multiplication
@retval RETURN_SUCCESS Successful multiplication
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeChar8Mult (
IN CHAR8 Multiplicand,
IN CHAR8 Multiplier,
OUT CHAR8 *Result
)
{
INT32 Multiplicand32;
INT32 Multiplier32;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
Multiplicand32 = (INT32)Multiplicand;
Multiplier32 = (INT32)Multiplier;
if (Multiplicand32 < 0 || Multiplicand32 > MAX_INT8) {
*Result = CHAR8_ERROR;
return RETURN_BUFFER_TOO_SMALL;
}
if (Multiplier32 < 0 || Multiplier32 > MAX_INT8) {
*Result = CHAR8_ERROR;
return RETURN_BUFFER_TOO_SMALL;
}
return SafeInt32ToChar8 (Multiplicand32 * Multiplier32, Result);
}
/**
INT16 multiplication
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to INT16_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Multiplicand A number that is to be multiplied by another
@param[in] Multiplier A number by which the multiplicand is to be multiplied
@param[out] Result Pointer to the result of multiplication
@retval RETURN_SUCCESS Successful multiplication
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt16Mult (
IN INT16 Multiplicand,
IN INT16 Multiplier,
OUT INT16 *Result
)
{
return SafeInt32ToInt16 (((INT32)Multiplicand) *((INT32)Multiplier), Result);
}
/**
INT32 multiplication
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to INT32_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Multiplicand A number that is to be multiplied by another
@param[in] Multiplier A number by which the multiplicand is to be multiplied
@param[out] Result Pointer to the result of multiplication
@retval RETURN_SUCCESS Successful multiplication
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt32Mult (
IN INT32 Multiplicand,
IN INT32 Multiplier,
OUT INT32 *Result
)
{
MdePkg/BaseSafeIntLib: Fix VS2015 IA32 NOOPT build failure v2: Add [LibraryClasses] section in INF file and refine coding style. There are VS2015 NOOPT IA32 build failure like below in BaseSafeIntLib. XXX.lib(XXX.obj): error LNK2001: unresolved external symbol __allmul XXX.lib(XXX.obj): error LNK2001: unresolved external symbol __allshl XXX.lib(XXX.obj): error LNK2001: unresolved external symbol __aullshr This patch replaces direct shift/multiplication of 64-bit integer with related function call to fix these failure. Cc: Laszlo Ersek <lersek@redhat.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Michael Kinney <michael.d.kinney@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Dandan Bi <dandan.bi@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2018-02-26 04:55:15 +01:00
return SafeInt64ToInt32 (MultS64x64 (Multiplicand, Multiplier), Result);
MdePkg/BaseSafeIntLib: Add SafeIntLib class and instance https://bugzilla.tianocore.org/show_bug.cgi?id=798 SafeIntLib provides helper functions to prevent integer overflow during type conversion, addition, subtraction, and multiplication. Conversion Functions ==================== * Converting from a signed type to an unsigned type of the same size, or vice-versa. * Converting to a smaller type that could possibly overflow. * Converting from a signed type to a larger unsigned type. Unsigned Addition, Subtraction, Multiplication =============================================== * Unsigned integer math functions protect from overflow and underflow (in case of subtraction). Signed Addition, Subtraction, Multiplication ============================================ * Strongly consider using unsigned numbers. * Signed numbers are often used where unsigned numbers should be used. For example file sizes and array indices should always be unsigned. Subtracting a larger positive signed number from a smaller positive signed number with SafeInt32Sub() will succeed, producing a negative number, that then must not be used as an array index (but can occasionally be used as a pointer index.) Similarly for adding a larger magnitude negative number to a smaller magnitude positive number. * SafeIntLib does not protect you from such errors. It tells you if your integer operations overflowed, not if you are doing the right thing with your non-overflowed integers. * Likewise you can overflow a buffer with a non-overflowed unsigned index. Based on content from the following branch/commits: https://github.com/Microsoft/MS_UEFI/tree/share/MsCapsuleSupport https://github.com/Microsoft/MS_UEFI/commit/21ef3a321c907b40fa93797619c9f6c686dd92e0 https://github.com/Microsoft/MS_UEFI/commit/ca516b1a61315c2d823f453e12d2135098f53d61 https://github.com/Microsoft/MS_UEFI/commit/33bab4031a417d7d5a7d356c15a14c2e60302b2d Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Liming Gao <liming.gao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com> Reviewed-by: Liming Gao <liming.gao@intel.com>
2017-04-25 01:37:20 +02:00
}
/**
INT64 multiplication
Performs the requested operation using the input parameters into a value
specified by Result type and stores the converted value into the caller
allocated output buffer specified by Result. The caller must pass in a
Result buffer that is at least as large as the Result type.
If Result is NULL, RETURN_INVALID_PARAMETER is returned.
If the requested operation results in an overflow or an underflow condition,
then Result is set to INT64_ERROR and RETURN_BUFFER_TOO_SMALL is returned.
@param[in] Multiplicand A number that is to be multiplied by another
@param[in] Multiplier A number by which the multiplicand is to be multiplied
@param[out] Result Pointer to the result of multiplication
@retval RETURN_SUCCESS Successful multiplication
@retval RETURN_BUFFER_TOO_SMALL Overflow
@retval RETURN_INVALID_PARAMETER Result is NULL
**/
RETURN_STATUS
EFIAPI
SafeInt64Mult (
IN INT64 Multiplicand,
IN INT64 Multiplier,
OUT INT64 *Result
)
{
RETURN_STATUS Status;
UINT64 UnsignedMultiplicand;
UINT64 UnsignedMultiplier;
UINT64 UnsignedResult;
if (Result == NULL) {
return RETURN_INVALID_PARAMETER;
}
//
// Split into sign and magnitude, do unsigned operation, apply sign.
//
if (Multiplicand < 0) {
//
// Avoid negating the most negative number.
//
UnsignedMultiplicand = ((UINT64)(- (Multiplicand + 1))) + 1;
} else {
UnsignedMultiplicand = (UINT64)Multiplicand;
}
if (Multiplier < 0) {
//
// Avoid negating the most negative number.
//
UnsignedMultiplier = ((UINT64)(- (Multiplier + 1))) + 1;
} else {
UnsignedMultiplier = (UINT64)Multiplier;
}
Status = SafeUint64Mult (UnsignedMultiplicand, UnsignedMultiplier, &UnsignedResult);
if (!RETURN_ERROR (Status)) {
if ((Multiplicand < 0) != (Multiplier < 0)) {
if (UnsignedResult > MIN_INT64_MAGNITUDE) {
*Result = INT64_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
MdePkg/BaseSafeIntLib: fix undefined behavior in SafeInt64Mult() If we have to negate UnsignedResult (due to exactly one of Multiplicand and Multiplier being negative), and UnsignedResult is exactly MIN_INT64_MAGNITUDE (value 2^63), then the statement *Result = - ((INT64)UnsignedResult); invokes both implementation-defined behavior and undefined behavior. First, MIN_INT64_MAGNITUDE is not representable as INT64, therefore the result of the (inner) conversion (INT64)MIN_INT64_MAGNITUDE is implementation-defined, or an implementation-defined signal is raised, according to ISO C99 6.3.1.3p3. Second, if we assume that the C language implementation defines the conversion to INT64 simply as reinterpreting the bit pattern 0x8000_0000_0000_0000 as a signed integer in two's complement representation, then the conversion immediately produces the negative value MIN_INT64 (value -(2^63)). In turn, the (outer) negation -(MIN_INT64) invokes undefined behavior, because the mathematical result of the negation, namely 2^63, cannot be represented in an INT64 object. (Not even mentioning the fact that the mathematical result would be incorrect.) In practice, the undefined negation of MIN_INT64 happens to produce an unchanged, valid-looking result on x86, i.e. (-(MIN_INT64)) == MIN_INT64. We can summarize this as the undefined -- effectless -- negation canceling out the botched -- auto-negating -- implementation-defined conversion. Instead of relying on such behavior, dedicate a branch to this situation: assign MIN_INT64 directly. The branch can be triggered e.g. by multiplying (2^62) by (-2). Cc: Bret Barkelew <Bret.Barkelew@microsoft.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Sean Brogan <sean.brogan@microsoft.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Tested-by: Michael D Kinney <michael.d.kinney@intel.com>
2018-02-15 17:09:43 +01:00
} else if (UnsignedResult == MIN_INT64_MAGNITUDE) {
*Result = MIN_INT64;
MdePkg/BaseSafeIntLib: Add SafeIntLib class and instance https://bugzilla.tianocore.org/show_bug.cgi?id=798 SafeIntLib provides helper functions to prevent integer overflow during type conversion, addition, subtraction, and multiplication. Conversion Functions ==================== * Converting from a signed type to an unsigned type of the same size, or vice-versa. * Converting to a smaller type that could possibly overflow. * Converting from a signed type to a larger unsigned type. Unsigned Addition, Subtraction, Multiplication =============================================== * Unsigned integer math functions protect from overflow and underflow (in case of subtraction). Signed Addition, Subtraction, Multiplication ============================================ * Strongly consider using unsigned numbers. * Signed numbers are often used where unsigned numbers should be used. For example file sizes and array indices should always be unsigned. Subtracting a larger positive signed number from a smaller positive signed number with SafeInt32Sub() will succeed, producing a negative number, that then must not be used as an array index (but can occasionally be used as a pointer index.) Similarly for adding a larger magnitude negative number to a smaller magnitude positive number. * SafeIntLib does not protect you from such errors. It tells you if your integer operations overflowed, not if you are doing the right thing with your non-overflowed integers. * Likewise you can overflow a buffer with a non-overflowed unsigned index. Based on content from the following branch/commits: https://github.com/Microsoft/MS_UEFI/tree/share/MsCapsuleSupport https://github.com/Microsoft/MS_UEFI/commit/21ef3a321c907b40fa93797619c9f6c686dd92e0 https://github.com/Microsoft/MS_UEFI/commit/ca516b1a61315c2d823f453e12d2135098f53d61 https://github.com/Microsoft/MS_UEFI/commit/33bab4031a417d7d5a7d356c15a14c2e60302b2d Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Liming Gao <liming.gao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com> Reviewed-by: Liming Gao <liming.gao@intel.com>
2017-04-25 01:37:20 +02:00
} else {
*Result = - ((INT64)UnsignedResult);
}
} else {
if (UnsignedResult > MAX_INT64) {
*Result = INT64_ERROR;
Status = RETURN_BUFFER_TOO_SMALL;
} else {
*Result = (INT64)UnsignedResult;
}
}
} else {
*Result = INT64_ERROR;
}
return Status;
}