mirror of https://github.com/acidanthera/audk.git
Enhanced BMP file security check.
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@9010 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
parent
0adb8a3c47
commit
99f6759411
|
@ -1,6 +1,6 @@
|
||||||
/*++
|
/*++
|
||||||
|
|
||||||
Copyright (c) 2004 - 2007, Intel Corporation
|
Copyright (c) 2004 - 2009, Intel Corporation
|
||||||
All rights reserved. This program and the accompanying materials
|
All rights reserved. This program and the accompanying materials
|
||||||
are licensed and made available under the terms and conditions of the BSD License
|
are licensed and made available under the terms and conditions of the BSD License
|
||||||
which accompanies this distribution. The full text of the license may be found at
|
which accompanies this distribution. The full text of the license may be found at
|
||||||
|
@ -157,7 +157,7 @@ Returns:
|
||||||
BMP_COLOR_MAP *BmpColorMap;
|
BMP_COLOR_MAP *BmpColorMap;
|
||||||
EFI_GRAPHICS_OUTPUT_BLT_PIXEL *BltBuffer;
|
EFI_GRAPHICS_OUTPUT_BLT_PIXEL *BltBuffer;
|
||||||
EFI_GRAPHICS_OUTPUT_BLT_PIXEL *Blt;
|
EFI_GRAPHICS_OUTPUT_BLT_PIXEL *Blt;
|
||||||
UINTN BltBufferSize;
|
UINT64 BltBufferSize;
|
||||||
UINTN Index;
|
UINTN Index;
|
||||||
UINTN Height;
|
UINTN Height;
|
||||||
UINTN Width;
|
UINTN Width;
|
||||||
|
@ -185,18 +185,26 @@ Returns:
|
||||||
Image = ((UINT8 *) BmpImage) + BmpHeader->ImageOffset;
|
Image = ((UINT8 *) BmpImage) + BmpHeader->ImageOffset;
|
||||||
ImageHeader = Image;
|
ImageHeader = Image;
|
||||||
|
|
||||||
BltBufferSize = BmpHeader->PixelWidth * BmpHeader->PixelHeight * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
|
BltBufferSize = MultU64x32 ((UINT64) BmpHeader->PixelWidth, BmpHeader->PixelHeight);
|
||||||
|
//
|
||||||
|
// Ensure the BltBufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow
|
||||||
|
//
|
||||||
|
if (BltBufferSize > DivU64x32 ((UINTN) ~0, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL), NULL)) {
|
||||||
|
return EFI_UNSUPPORTED;
|
||||||
|
}
|
||||||
|
BltBufferSize = MultU64x32 (BltBufferSize, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));
|
||||||
|
|
||||||
IsAllocated = FALSE;
|
IsAllocated = FALSE;
|
||||||
if (*GopBlt == NULL) {
|
if (*GopBlt == NULL) {
|
||||||
*GopBltSize = BltBufferSize;
|
*GopBltSize = (UINTN) BltBufferSize;
|
||||||
*GopBlt = EfiLibAllocatePool (*GopBltSize);
|
*GopBlt = EfiLibAllocatePool (*GopBltSize);
|
||||||
IsAllocated = TRUE;
|
IsAllocated = TRUE;
|
||||||
if (*GopBlt == NULL) {
|
if (*GopBlt == NULL) {
|
||||||
return EFI_OUT_OF_RESOURCES;
|
return EFI_OUT_OF_RESOURCES;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if (*GopBltSize < BltBufferSize) {
|
if (*GopBltSize < (UINTN) BltBufferSize) {
|
||||||
*GopBltSize = BltBufferSize;
|
*GopBltSize = (UINTN) BltBufferSize;
|
||||||
return EFI_BUFFER_TOO_SMALL;
|
return EFI_BUFFER_TOO_SMALL;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
/*++
|
/*++
|
||||||
|
|
||||||
Copyright (c) 2004 - 2006, Intel Corporation
|
Copyright (c) 2004 - 2009, Intel Corporation
|
||||||
All rights reserved. This program and the accompanying materials
|
All rights reserved. This program and the accompanying materials
|
||||||
are licensed and made available under the terms and conditions of the BSD License
|
are licensed and made available under the terms and conditions of the BSD License
|
||||||
which accompanies this distribution. The full text of the license may be found at
|
which accompanies this distribution. The full text of the license may be found at
|
||||||
|
@ -158,7 +158,7 @@ Returns:
|
||||||
BMP_COLOR_MAP *BmpColorMap;
|
BMP_COLOR_MAP *BmpColorMap;
|
||||||
EFI_GRAPHICS_OUTPUT_BLT_PIXEL *BltBuffer;
|
EFI_GRAPHICS_OUTPUT_BLT_PIXEL *BltBuffer;
|
||||||
EFI_GRAPHICS_OUTPUT_BLT_PIXEL *Blt;
|
EFI_GRAPHICS_OUTPUT_BLT_PIXEL *Blt;
|
||||||
UINTN BltBufferSize;
|
UINT64 BltBufferSize;
|
||||||
UINTN Index;
|
UINTN Index;
|
||||||
UINTN Height;
|
UINTN Height;
|
||||||
UINTN Width;
|
UINTN Width;
|
||||||
|
@ -186,18 +186,26 @@ Returns:
|
||||||
Image = ((UINT8 *) BmpImage) + BmpHeader->ImageOffset;
|
Image = ((UINT8 *) BmpImage) + BmpHeader->ImageOffset;
|
||||||
ImageHeader = Image;
|
ImageHeader = Image;
|
||||||
|
|
||||||
BltBufferSize = BmpHeader->PixelWidth * BmpHeader->PixelHeight * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);
|
BltBufferSize = MultU64x32 ((UINT64) BmpHeader->PixelWidth, BmpHeader->PixelHeight);
|
||||||
|
//
|
||||||
|
// Ensure the BltBufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow
|
||||||
|
//
|
||||||
|
if (BltBufferSize > DivU64x32 ((UINTN) ~0, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL), NULL)) {
|
||||||
|
return EFI_UNSUPPORTED;
|
||||||
|
}
|
||||||
|
BltBufferSize = MultU64x32 (BltBufferSize, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));
|
||||||
|
|
||||||
IsAllocated = FALSE;
|
IsAllocated = FALSE;
|
||||||
if (*GopBlt == NULL) {
|
if (*GopBlt == NULL) {
|
||||||
*GopBltSize = BltBufferSize;
|
*GopBltSize = (UINTN) BltBufferSize;
|
||||||
*GopBlt = EfiLibAllocatePool (*GopBltSize);
|
*GopBlt = EfiLibAllocatePool (*GopBltSize);
|
||||||
IsAllocated = TRUE;
|
IsAllocated = TRUE;
|
||||||
if (*GopBlt == NULL) {
|
if (*GopBlt == NULL) {
|
||||||
return EFI_OUT_OF_RESOURCES;
|
return EFI_OUT_OF_RESOURCES;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if (*GopBltSize < BltBufferSize) {
|
if (*GopBltSize < (UINTN) BltBufferSize) {
|
||||||
*GopBltSize = BltBufferSize;
|
*GopBltSize = (UINTN) BltBufferSize;
|
||||||
return EFI_BUFFER_TOO_SMALL;
|
return EFI_BUFFER_TOO_SMALL;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue