BaseTools: Add more checker in Decompress algorithm to access the valid buffer (CVE FIX)

Fix CVE-2017-5731,CVE-2017-5732,CVE-2017-5733,CVE-2017-5734,CVE-2017-5735 https://bugzilla.tianocore.org/show_bug.cgi?id=686 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Holtsclaw Brent <brent.holtsclaw@intel.com> Signed-off-by: Liming Gao <liming.gao@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com> Acked-by: Laszlo Ersek <lersek@redhat.com>
2018-10-16 10:06:13 +08:00 · 2018-10-16 10:06:13 +08:00 · 041d89bc0f
parent 684db6da64
commit 041d89bc0f
2 changed files with 46 additions and 3 deletions
--- a/BaseTools/Source/C/Common/Decompress.c
+++ b/BaseTools/Source/C/Common/Decompress.c
@ -194,12 +194,16 @@ Returns:
  UINT16  Avail;
  UINT16  NextCode;
  UINT16  Mask;
  UINT16  MaxTableLength;
  for (Index = 1; Index <= 16; Index++) {
    Count[Index] = 0;
  }
  for (Index = 0; Index < NumOfChar; Index++) {
    if (BitLen[Index] > 16) {
      return (UINT16) BAD_TABLE;
    }
    Count[BitLen[Index]]++;
  }
@ -237,6 +241,7 @@ Returns:
  Avail = NumOfChar;
  Mask  = (UINT16) (1U << (15 - TableBits));
  MaxTableLength = (UINT16) (1U << TableBits);
  for (Char = 0; Char < NumOfChar; Char++) {
@ -250,6 +255,9 @@ Returns:
    if (Len <= TableBits) {
      for (Index = Start[Len]; Index < NextCode; Index++) {
        if (Index >= MaxTableLength) {
          return (UINT16) BAD_TABLE;
        }
        Table[Index] = Char;
      }
@ -643,10 +651,14 @@ Returns: (VOID)
      BytesRemain--;
      while ((INT16) (BytesRemain) >= 0) {
        Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
        if (Sd->mOutBuf >= Sd->mOrigSize) {
          return ;
        }
        if (DataIdx >= Sd->mOrigSize) {
          Sd->mBadTableFlag = (UINT16) BAD_TABLE;
          return ;
        }
        Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
        BytesRemain--;
      }
@ -684,6 +696,7 @@ Returns:
 --*/
 {
  UINT8 *Src;
  UINT32 CompSize;
  *ScratchSize  = sizeof (SCRATCH_DATA);
@ -692,7 +705,13 @@ Returns:
    return EFI_INVALID_PARAMETER;
  }
  CompSize = Src[0] + (Src[1] << 8) + (Src[2] << 16) + (Src[3] << 24);
  *DstSize = Src[4] + (Src[5] << 8) + (Src[6] << 16) + (Src[7] << 24);
  if (SrcSize < CompSize + 8 || (CompSize + 8) < 8) {
    return EFI_INVALID_PARAMETER;
  }
  return EFI_SUCCESS;
 }
@ -752,7 +771,7 @@ Returns:
  CompSize  = Src[0] + (Src[1] << 8) + (Src[2] << 16) + (Src[3] << 24);
  OrigSize  = Src[4] + (Src[5] << 8) + (Src[6] << 16) + (Src[7] << 24);
-  if (SrcSize < CompSize + 8) {
+  if (SrcSize < CompSize + 8 || (CompSize + 8) < 8) {
    return EFI_INVALID_PARAMETER;
  }
--- a/BaseTools/Source/C/TianoCompress/TianoCompress.c
+++ b/BaseTools/Source/C/TianoCompress/TianoCompress.c
@ -1757,6 +1757,7 @@ Returns:
  SCRATCH_DATA      *Scratch;
  UINT8      *Src;
  UINT32     OrigSize;
  UINT32     CompSize;
  SetUtilityName(UTILITY_NAME);
@ -1765,6 +1766,7 @@ Returns:
  OutBuffer = NULL;
  Scratch   = NULL;
  OrigSize = 0;
  CompSize = 0;
  InputLength = 0;
  InputFileName = NULL;
  OutputFileName = NULL;
@ -2006,15 +2008,24 @@ Returns:
    }
    fwrite(OutBuffer, (size_t)(DstSize), 1, OutputFile);
  } else {
    if (InputLength < 8){
      Error (NULL, 0, 3000, "Invalid", "The input file %s is too small.", InputFileName);
      goto ERROR;
    }
    //
    // Get Compressed file original size
    //
    Src     = (UINT8 *)FileBuffer;
    OrigSize  = Src[4] + (Src[5] << 8) + (Src[6] << 16) + (Src[7] << 24);
    CompSize  = Src[0] + (Src[1] << 8) + (Src[2] <<16) + (Src[3] <<24);
    //
    // Allocate OutputBuffer
    //
    if (InputLength < CompSize + 8 || (CompSize + 8) < 8) {
      Error (NULL, 0, 3000, "Invalid", "The input file %s data is invalid.", InputFileName);
      goto ERROR;
    }
    OutBuffer = (UINT8 *)malloc(OrigSize);
    if (OutBuffer == NULL) {
      Error (NULL, 0, 4001, "Resource:", "Memory cannot be allocated!");
@ -2204,12 +2215,16 @@ Returns:
  UINT16  Mask;
  UINT16  WordOfStart;
  UINT16  WordOfCount;
  UINT16  MaxTableLength;
  for (Index = 0; Index <= 16; Index++) {
    Count[Index] = 0;
  }
  for (Index = 0; Index < NumOfChar; Index++) {
    if (BitLen[Index] > 16) {
      return (UINT16) BAD_TABLE;
    }
    Count[BitLen[Index]]++;
  }
@ -2253,6 +2268,7 @@ Returns:
  Avail = NumOfChar;
  Mask  = (UINT16) (1U << (15 - TableBits));
  MaxTableLength = (UINT16) (1U << TableBits);
  for (Char = 0; Char < NumOfChar; Char++) {
@ -2266,6 +2282,9 @@ Returns:
    if (Len <= TableBits) {
      for (Index = Start[Len]; Index < NextCode; Index++) {
        if (Index >= MaxTableLength) {
          return (UINT16) BAD_TABLE;
        }
        Table[Index] = Char;
      }
@ -2650,11 +2669,16 @@ Returns: (VOID)
      DataIdx     = Sd->mOutBuf - DecodeP (Sd) - 1;
      BytesRemain--;
      while ((INT16) (BytesRemain) >= 0) {
        Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
        if (Sd->mOutBuf >= Sd->mOrigSize) {
          goto Done ;
        }
        if (DataIdx >= Sd->mOrigSize) {
          Sd->mBadTableFlag = (UINT16) BAD_TABLE;
          goto Done ;
        }
        Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
        BytesRemain--;
      }