Enhanced BMP file security check.

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@9010 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
vanjeff 2009-07-27 02:23:19 +00:00
parent 0adb8a3c47
commit 99f6759411
2 changed files with 28 additions and 12 deletions

View File

@ -1,6 +1,6 @@
/*++ /*++
Copyright (c) 2004 - 2007, Intel Corporation Copyright (c) 2004 - 2009, Intel Corporation
All rights reserved. This program and the accompanying materials All rights reserved. This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at which accompanies this distribution. The full text of the license may be found at
@ -157,7 +157,7 @@ Returns:
BMP_COLOR_MAP *BmpColorMap; BMP_COLOR_MAP *BmpColorMap;
EFI_GRAPHICS_OUTPUT_BLT_PIXEL *BltBuffer; EFI_GRAPHICS_OUTPUT_BLT_PIXEL *BltBuffer;
EFI_GRAPHICS_OUTPUT_BLT_PIXEL *Blt; EFI_GRAPHICS_OUTPUT_BLT_PIXEL *Blt;
UINTN BltBufferSize; UINT64 BltBufferSize;
UINTN Index; UINTN Index;
UINTN Height; UINTN Height;
UINTN Width; UINTN Width;
@ -185,18 +185,26 @@ Returns:
Image = ((UINT8 *) BmpImage) + BmpHeader->ImageOffset; Image = ((UINT8 *) BmpImage) + BmpHeader->ImageOffset;
ImageHeader = Image; ImageHeader = Image;
BltBufferSize = BmpHeader->PixelWidth * BmpHeader->PixelHeight * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL); BltBufferSize = MultU64x32 ((UINT64) BmpHeader->PixelWidth, BmpHeader->PixelHeight);
//
// Ensure the BltBufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow
//
if (BltBufferSize > DivU64x32 ((UINTN) ~0, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL), NULL)) {
return EFI_UNSUPPORTED;
}
BltBufferSize = MultU64x32 (BltBufferSize, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));
IsAllocated = FALSE; IsAllocated = FALSE;
if (*GopBlt == NULL) { if (*GopBlt == NULL) {
*GopBltSize = BltBufferSize; *GopBltSize = (UINTN) BltBufferSize;
*GopBlt = EfiLibAllocatePool (*GopBltSize); *GopBlt = EfiLibAllocatePool (*GopBltSize);
IsAllocated = TRUE; IsAllocated = TRUE;
if (*GopBlt == NULL) { if (*GopBlt == NULL) {
return EFI_OUT_OF_RESOURCES; return EFI_OUT_OF_RESOURCES;
} }
} else { } else {
if (*GopBltSize < BltBufferSize) { if (*GopBltSize < (UINTN) BltBufferSize) {
*GopBltSize = BltBufferSize; *GopBltSize = (UINTN) BltBufferSize;
return EFI_BUFFER_TOO_SMALL; return EFI_BUFFER_TOO_SMALL;
} }
} }

View File

@ -1,6 +1,6 @@
/*++ /*++
Copyright (c) 2004 - 2006, Intel Corporation Copyright (c) 2004 - 2009, Intel Corporation
All rights reserved. This program and the accompanying materials All rights reserved. This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at which accompanies this distribution. The full text of the license may be found at
@ -158,7 +158,7 @@ Returns:
BMP_COLOR_MAP *BmpColorMap; BMP_COLOR_MAP *BmpColorMap;
EFI_GRAPHICS_OUTPUT_BLT_PIXEL *BltBuffer; EFI_GRAPHICS_OUTPUT_BLT_PIXEL *BltBuffer;
EFI_GRAPHICS_OUTPUT_BLT_PIXEL *Blt; EFI_GRAPHICS_OUTPUT_BLT_PIXEL *Blt;
UINTN BltBufferSize; UINT64 BltBufferSize;
UINTN Index; UINTN Index;
UINTN Height; UINTN Height;
UINTN Width; UINTN Width;
@ -186,18 +186,26 @@ Returns:
Image = ((UINT8 *) BmpImage) + BmpHeader->ImageOffset; Image = ((UINT8 *) BmpImage) + BmpHeader->ImageOffset;
ImageHeader = Image; ImageHeader = Image;
BltBufferSize = BmpHeader->PixelWidth * BmpHeader->PixelHeight * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL); BltBufferSize = MultU64x32 ((UINT64) BmpHeader->PixelWidth, BmpHeader->PixelHeight);
//
// Ensure the BltBufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow
//
if (BltBufferSize > DivU64x32 ((UINTN) ~0, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL), NULL)) {
return EFI_UNSUPPORTED;
}
BltBufferSize = MultU64x32 (BltBufferSize, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));
IsAllocated = FALSE; IsAllocated = FALSE;
if (*GopBlt == NULL) { if (*GopBlt == NULL) {
*GopBltSize = BltBufferSize; *GopBltSize = (UINTN) BltBufferSize;
*GopBlt = EfiLibAllocatePool (*GopBltSize); *GopBlt = EfiLibAllocatePool (*GopBltSize);
IsAllocated = TRUE; IsAllocated = TRUE;
if (*GopBlt == NULL) { if (*GopBlt == NULL) {
return EFI_OUT_OF_RESOURCES; return EFI_OUT_OF_RESOURCES;
} }
} else { } else {
if (*GopBltSize < BltBufferSize) { if (*GopBltSize < (UINTN) BltBufferSize) {
*GopBltSize = BltBufferSize; *GopBltSize = (UINTN) BltBufferSize;
return EFI_BUFFER_TOO_SMALL; return EFI_BUFFER_TOO_SMALL;
} }
} }