MdeModulePkg/String.c: Zero memory before free (CVE-2019-14558)

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1611

Cc: Liming Gao <liming.gao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
This commit is contained in:
Dandan Bi 2019-02-22 15:45:24 +08:00 committed by mergify[bot]
parent c32be82e99
commit 764e8ba138
1 changed files with 8 additions and 1 deletions

View File

@ -2,7 +2,7 @@
Implementation for EFI_HII_STRING_PROTOCOL. Implementation for EFI_HII_STRING_PROTOCOL.
Copyright (c) 2007 - 2018, Intel Corporation. All rights reserved.<BR> Copyright (c) 2007 - 2020, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR> (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent SPDX-License-Identifier: BSD-2-Clause-Patent
@ -1006,6 +1006,7 @@ SetStringWorker (
TmpSize TmpSize
); );
ZeroMem (StringPackage->StringBlock, OldBlockSize);
FreePool (StringPackage->StringBlock); FreePool (StringPackage->StringBlock);
StringPackage->StringBlock = Block; StringPackage->StringBlock = Block;
StringPackage->StringPkgHdr->Header.Length += (UINT32) (BlockSize - OldBlockSize); StringPackage->StringPkgHdr->Header.Length += (UINT32) (BlockSize - OldBlockSize);
@ -1039,6 +1040,7 @@ SetStringWorker (
OldBlockSize - (StringTextPtr - StringPackage->StringBlock) - StringSize OldBlockSize - (StringTextPtr - StringPackage->StringBlock) - StringSize
); );
ZeroMem (StringPackage->StringBlock, OldBlockSize);
FreePool (StringPackage->StringBlock); FreePool (StringPackage->StringBlock);
StringPackage->StringBlock = Block; StringPackage->StringBlock = Block;
StringPackage->StringPkgHdr->Header.Length += (UINT32) (BlockSize - OldBlockSize); StringPackage->StringPkgHdr->Header.Length += (UINT32) (BlockSize - OldBlockSize);
@ -1090,6 +1092,7 @@ SetStringWorker (
CopyMem (BlockPtr, StringPackage->StringBlock, OldBlockSize); CopyMem (BlockPtr, StringPackage->StringBlock, OldBlockSize);
ZeroMem (StringPackage->StringBlock, OldBlockSize);
FreePool (StringPackage->StringBlock); FreePool (StringPackage->StringBlock);
StringPackage->StringBlock = Block; StringPackage->StringBlock = Block;
StringPackage->StringPkgHdr->Header.Length += Ext2.Length; StringPackage->StringPkgHdr->Header.Length += Ext2.Length;
@ -1275,6 +1278,7 @@ HiiNewString (
// Append a EFI_HII_SIBT_END block to the end. // Append a EFI_HII_SIBT_END block to the end.
// //
*BlockPtr = EFI_HII_SIBT_END; *BlockPtr = EFI_HII_SIBT_END;
ZeroMem (StringPackage->StringBlock, OldBlockSize);
FreePool (StringPackage->StringBlock); FreePool (StringPackage->StringBlock);
StringPackage->StringBlock = StringBlock; StringPackage->StringBlock = StringBlock;
StringPackage->StringPkgHdr->Header.Length += Ucs2BlockSize; StringPackage->StringPkgHdr->Header.Length += Ucs2BlockSize;
@ -1406,6 +1410,7 @@ HiiNewString (
// Append a EFI_HII_SIBT_END block to the end. // Append a EFI_HII_SIBT_END block to the end.
// //
*BlockPtr = EFI_HII_SIBT_END; *BlockPtr = EFI_HII_SIBT_END;
ZeroMem (StringPackage->StringBlock, OldBlockSize);
FreePool (StringPackage->StringBlock); FreePool (StringPackage->StringBlock);
StringPackage->StringBlock = StringBlock; StringPackage->StringBlock = StringBlock;
StringPackage->StringPkgHdr->Header.Length += Ucs2BlockSize; StringPackage->StringPkgHdr->Header.Length += Ucs2BlockSize;
@ -1448,6 +1453,7 @@ HiiNewString (
// Append a EFI_HII_SIBT_END block to the end. // Append a EFI_HII_SIBT_END block to the end.
// //
*BlockPtr = EFI_HII_SIBT_END; *BlockPtr = EFI_HII_SIBT_END;
ZeroMem (StringPackage->StringBlock, OldBlockSize);
FreePool (StringPackage->StringBlock); FreePool (StringPackage->StringBlock);
StringPackage->StringBlock = StringBlock; StringPackage->StringBlock = StringBlock;
StringPackage->StringPkgHdr->Header.Length += Ucs2FontBlockSize; StringPackage->StringPkgHdr->Header.Length += Ucs2FontBlockSize;
@ -1509,6 +1515,7 @@ HiiNewString (
// Append a EFI_HII_SIBT_END block to the end. // Append a EFI_HII_SIBT_END block to the end.
// //
*BlockPtr = EFI_HII_SIBT_END; *BlockPtr = EFI_HII_SIBT_END;
ZeroMem (StringPackage->StringBlock, OldBlockSize);
FreePool (StringPackage->StringBlock); FreePool (StringPackage->StringBlock);
StringPackage->StringBlock = StringBlock; StringPackage->StringBlock = StringBlock;
StringPackage->StringPkgHdr->Header.Length += FontBlockSize + Ucs2FontBlockSize; StringPackage->StringPkgHdr->Header.Length += FontBlockSize + Ucs2FontBlockSize;