IntelFrameworkModulePkg: Add more checker in UefiTianoDecompressLib (CVE FIX)

Fix CVE-2017-5731,CVE-2017-5732,CVE-2017-5733,CVE-2017-5734,CVE-2017-5735 https://bugzilla.tianocore.org/show_bug.cgi?id=686 To make sure the valid buffer be accessed only. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Holtsclaw Brent <brent.holtsclaw@intel.com> Signed-off-by: Liming Gao <liming.gao@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com> Acked-by: Laszlo Ersek <lersek@redhat.com>
2018-10-16 10:06:12 +08:00 · 2018-10-16 10:06:12 +08:00 · 684db6da64
parent 2ec7953d49
commit 684db6da64
1 changed files with 14 additions and 2 deletions
--- a/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c
+++ b/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c
@ -143,6 +143,7 @@ MakeTable (
  UINT16  Mask;
  UINT16  WordOfStart;
  UINT16  WordOfCount;
+  UINT16  MaxTableLength;

  //
  // The maximum mapping table width supported by this internal
@ -155,6 +156,9 @@ MakeTable (
  }

  for (Index = 0; Index < NumOfChar; Index++) {
+    if (BitLen[Index] > 16) {
+      return (UINT16) BAD_TABLE;
+    }
    Count[BitLen[Index]]++;
  }

@ -196,6 +200,7 @@ MakeTable (

  Avail = NumOfChar;
  Mask  = (UINT16) (1U << (15 - TableBits));
+  MaxTableLength = (UINT16) (1U << TableBits);

  for (Char = 0; Char < NumOfChar; Char++) {

@ -209,6 +214,9 @@ MakeTable (
    if (Len <= TableBits) {

      for (Index = Start[Len]; Index < NextCode; Index++) {
+        if (Index >= MaxTableLength) {
+          return (UINT16) BAD_TABLE;
+        }
        Table[Index] = Char;
      }

@ -615,10 +623,14 @@ Decode (
      //
      BytesRemain--;
      while ((INT16) (BytesRemain) >= 0) {
-        Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
        if (Sd->mOutBuf >= Sd->mOrigSize) {
          goto Done ;
        }
+        if (DataIdx >= Sd->mOrigSize) {
+          Sd->mBadTableFlag = (UINT16) BAD_TABLE;
+          goto Done ;
+        }
+        Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];

        BytesRemain--;
      }
@ -688,7 +700,7 @@ UefiDecompressGetInfo (
  }

  CompressedSize   = ReadUnaligned32 ((UINT32 *)Source);
-  if (SourceSize < (CompressedSize + 8)) {
+  if (SourceSize < (CompressedSize + 8) || (CompressedSize + 8) < 8) {
    return RETURN_INVALID_PARAMETER;
  }