tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ShellPkg/hexedit: Fix a read-after-free bug 

HDiskImageSetDiskNameOffsetSize() and HFileImageSetFileName()
may be called using the current disk name or file name.
When this happens, today's implementation firstly frees the memory
and then accesses the just-freed memory.
The patch fixes this issue by doing nothing when the disk or file
name is the current one.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Reviewed-by: Jaben Carsey <jaben.carsey@intel.com>
This commit is contained in:
Ruiyu Ni 2018-02-08 00:05:10 +08:00
parent ad6040ec9b
commit 1efda6414f
2 changed files with 18 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
ShellPkg/Library/UefiShellDebug1CommandsLib/HexEdit/DiskImage.c
View File

@ -1,7 +1,7 @@
/** @file /** @file
Functions to deal with Disk buffer. Functions to deal with Disk buffer.
Copyright (c) 2005 - 2016, Intel Corporation. All rights reserved. <BR> Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at which accompanies this distribution. The full text of the license may be found at
@ -120,27 +120,23 @@ HDiskImageSetDiskNameOffsetSize (
IN UINTN Size IN UINTN Size
) )
{ {
UINTN Len; if (Str == HDiskImage.Name) {
UINTN Index; //
// This function might be called using HDiskImage.FileName as Str.
// Directly return without updating HDiskImage.FileName.
//
return EFI_SUCCESS;
}
// //
// free the old file name // free the old file name
// //
SHELL_FREE_NON_NULL (HDiskImage.Name); SHELL_FREE_NON_NULL (HDiskImage.Name);
HDiskImage.Name = AllocateCopyPool (StrSize (Str), Str);
Len = StrLen (Str);
HDiskImage.Name = AllocateZeroPool (2 * (Len + 1));
if (HDiskImage.Name == NULL) { if (HDiskImage.Name == NULL) {
return EFI_OUT_OF_RESOURCES; return EFI_OUT_OF_RESOURCES;
} }
for (Index = 0; Index < Len; Index++) {
HDiskImage.Name[Index] = Str[Index];
}
HDiskImage.Name[Len] = L'\0';
HDiskImage.Offset = Offset; HDiskImage.Offset = Offset;
HDiskImage.Size = Size; HDiskImage.Size = Size;

23
ShellPkg/Library/UefiShellDebug1CommandsLib/HexEdit/FileImage.c
View File

@ -1,7 +1,7 @@
/** @file /** @file
Functions to deal with file buffer. Functions to deal with file buffer.
Copyright (c) 2005 - 2015, Intel Corporation. All rights reserved. <BR> Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at which accompanies this distribution. The full text of the license may be found at
@ -110,27 +110,22 @@ HFileImageSetFileName (
IN CONST CHAR16 *Str IN CONST CHAR16 *Str
) )
{ {
UINTN Size; if (Str == HFileImage.FileName) {
UINTN Index; //
// This function might be called using HFileImage.FileName as Str.
// Directly return without updating HFileImage.FileName.
//
return EFI_SUCCESS;
}
// //
// free the old file name // free the old file name
// //
SHELL_FREE_NON_NULL (HFileImage.FileName); SHELL_FREE_NON_NULL (HFileImage.FileName);
HFileImage.FileName = AllocateCopyPool (StrSize (Str), Str);
Size = StrLen (Str);
HFileImage.FileName = AllocateZeroPool (2 * (Size + 1));
if (HFileImage.FileName == NULL) { if (HFileImage.FileName == NULL) {
return EFI_OUT_OF_RESOURCES; return EFI_OUT_OF_RESOURCES;
} }
for (Index = 0; Index < Size; Index++) {
HFileImage.FileName[Index] = Str[Index];
}
HFileImage.FileName[Size] = L'\0';
return EFI_SUCCESS; return EFI_SUCCESS;
} }