mirror of https://github.com/acidanthera/audk.git
Enhanced BMP file security check.
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@9010 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
parent
0adb8a3c47
commit
99f6759411
|
@ -1,6 +1,6 @@
|
|||
/*++
|
||||
|
||||
Copyright (c) 2004 - 2007, Intel Corporation
|
||||
Copyright (c) 2004 - 2009, Intel Corporation
|
||||
All rights reserved. This program and the accompanying materials
|
||||
are licensed and made available under the terms and conditions of the BSD License
|
||||
which accompanies this distribution. The full text of the license may be found at
|
||||
|
@ -157,7 +157,7 @@ Returns:
|
|||
BMP_COLOR_MAP *BmpColorMap;
|
||||
EFI_GRAPHICS_OUTPUT_BLT_PIXEL *BltBuffer;
|
||||
EFI_GRAPHICS_OUTPUT_BLT_PIXEL *Blt;
|
||||
UINTN BltBufferSize;
|
||||
UINT64 BltBufferSize;
|
||||
UINTN Index;
|
||||
UINTN Height;
|
||||
UINTN Width;
|
||||
|
@ -185,18 +185,26 @@ Returns:
|
|||
Image = ((UINT8 *) BmpImage) + BmpHeader->ImageOffset;
|
||||
ImageHeader = Image;
|
||||
|
||||
BltBufferSize = BmpHeader->PixelWidth * BmpHeader->PixelHeight * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
|
||||
BltBufferSize = MultU64x32 ((UINT64) BmpHeader->PixelWidth, BmpHeader->PixelHeight);
|
||||
//
|
||||
// Ensure the BltBufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow
|
||||
//
|
||||
if (BltBufferSize > DivU64x32 ((UINTN) ~0, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL), NULL)) {
|
||||
return EFI_UNSUPPORTED;
|
||||
}
|
||||
BltBufferSize = MultU64x32 (BltBufferSize, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));
|
||||
|
||||
IsAllocated = FALSE;
|
||||
if (*GopBlt == NULL) {
|
||||
*GopBltSize = BltBufferSize;
|
||||
*GopBltSize = (UINTN) BltBufferSize;
|
||||
*GopBlt = EfiLibAllocatePool (*GopBltSize);
|
||||
IsAllocated = TRUE;
|
||||
if (*GopBlt == NULL) {
|
||||
return EFI_OUT_OF_RESOURCES;
|
||||
}
|
||||
} else {
|
||||
if (*GopBltSize < BltBufferSize) {
|
||||
*GopBltSize = BltBufferSize;
|
||||
if (*GopBltSize < (UINTN) BltBufferSize) {
|
||||
*GopBltSize = (UINTN) BltBufferSize;
|
||||
return EFI_BUFFER_TOO_SMALL;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/*++
|
||||
|
||||
Copyright (c) 2004 - 2006, Intel Corporation
|
||||
Copyright (c) 2004 - 2009, Intel Corporation
|
||||
All rights reserved. This program and the accompanying materials
|
||||
are licensed and made available under the terms and conditions of the BSD License
|
||||
which accompanies this distribution. The full text of the license may be found at
|
||||
|
@ -158,7 +158,7 @@ Returns:
|
|||
BMP_COLOR_MAP *BmpColorMap;
|
||||
EFI_GRAPHICS_OUTPUT_BLT_PIXEL *BltBuffer;
|
||||
EFI_GRAPHICS_OUTPUT_BLT_PIXEL *Blt;
|
||||
UINTN BltBufferSize;
|
||||
UINT64 BltBufferSize;
|
||||
UINTN Index;
|
||||
UINTN Height;
|
||||
UINTN Width;
|
||||
|
@ -186,18 +186,26 @@ Returns:
|
|||
Image = ((UINT8 *) BmpImage) + BmpHeader->ImageOffset;
|
||||
ImageHeader = Image;
|
||||
|
||||
BltBufferSize = BmpHeader->PixelWidth * BmpHeader->PixelHeight * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
|
||||
BltBufferSize = MultU64x32 ((UINT64) BmpHeader->PixelWidth, BmpHeader->PixelHeight);
|
||||
//
|
||||
// Ensure the BltBufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow
|
||||
//
|
||||
if (BltBufferSize > DivU64x32 ((UINTN) ~0, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL), NULL)) {
|
||||
return EFI_UNSUPPORTED;
|
||||
}
|
||||
BltBufferSize = MultU64x32 (BltBufferSize, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));
|
||||
|
||||
IsAllocated = FALSE;
|
||||
if (*GopBlt == NULL) {
|
||||
*GopBltSize = BltBufferSize;
|
||||
*GopBltSize = (UINTN) BltBufferSize;
|
||||
*GopBlt = EfiLibAllocatePool (*GopBltSize);
|
||||
IsAllocated = TRUE;
|
||||
if (*GopBlt == NULL) {
|
||||
return EFI_OUT_OF_RESOURCES;
|
||||
}
|
||||
} else {
|
||||
if (*GopBltSize < BltBufferSize) {
|
||||
*GopBltSize = BltBufferSize;
|
||||
if (*GopBltSize < (UINTN) BltBufferSize) {
|
||||
*GopBltSize = (UINTN) BltBufferSize;
|
||||
return EFI_BUFFER_TOO_SMALL;
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue