From 6c64f0c836d2e4100ab0864108d7252fb0ecd832 Mon Sep 17 00:00:00 2001 From: Vitaly Cheptsov Date: Mon, 28 Apr 2025 18:09:39 +0300 Subject: [PATCH] BaseTools/VfrCompile: Fix memory issues Using GCC 13.3.0 discovers an out of bounds memory access in VfrCompile when building DriverSampleDxe. This is also discoverable with ASan. The issue here is that EFI_IFR_TYPE_VALUE is a flexible type and when passed by value for string types only the header part is accessible. Assuming the remainder is zero seems to be ok as gZeroEfiIfrTypeValue is used as a variable source. This change also fixes a warning for new[]/delete[] mismatch discovered by ASan. Signed-off-by: Vitaly Cheptsov --- BaseTools/Source/C/VfrCompile/VfrUtilityLib.cpp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/BaseTools/Source/C/VfrCompile/VfrUtilityLib.cpp b/BaseTools/Source/C/VfrCompile/VfrUtilityLib.cpp index 11470de45c..d0ef0d8f26 100644 --- a/BaseTools/Source/C/VfrCompile/VfrUtilityLib.cpp +++ b/BaseTools/Source/C/VfrCompile/VfrUtilityLib.cpp @@ -80,6 +80,12 @@ SConfigInfo::SConfigInfo ( return; } + memset (mValue, 0, mWidth); + + if (mWidth > sizeof(EFI_IFR_TYPE_VALUE)) { + mWidth = sizeof(EFI_IFR_TYPE_VALUE); + } + switch (Type) { case EFI_IFR_TYPE_NUM_SIZE_8 : memcpy (mValue, &Value.u8, mWidth); @@ -2380,7 +2386,7 @@ CVfrDefaultStore::ReRegisterDefaultStoreById ( } if (RefName != NULL) { - delete pNode->mRefName; + delete [] pNode->mRefName; pNode->mRefName = new CHAR8[strlen (RefName) + 1]; if (pNode->mRefName != NULL) { strcpy (pNode->mRefName, RefName);