From a3c9617ea6a02c2ac747cf274fe9025f2d42c9bb Mon Sep 17 00:00:00 2001
From: Hao Wu <hao.a.wu@intel.com>
Date: Mon, 13 Jul 2015 01:23:14 +0000
Subject: [PATCH] IntelFrameworkModulePkg BootMaint: Fix potential read over
 memory boundary

This commit will resolve the issue brought by r17736.

Str   = AllocateCopyPool (MaxLen * sizeof (CHAR16), Str1);

The above using of AllocateCopyPool() will read contents out of the scope
of Str1. Potential risk for Str1 allocated at the boundary of memory
region.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Qiu Shumin <shumin.qiu@intel.com>
Reviewed-by: Jeff Fan <jeff.fan@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17931 6f19259b-4bc3-4df7-8a09-765794883524
---
 .../Universal/BdsDxe/BootMaint/BootOption.c                    | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c b/IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c
index 1519315d40..56bcfab23f 100644
--- a/IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c
+++ b/IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c
@@ -1096,12 +1096,13 @@ BOpt_AppendFileName (
   Size1 = StrSize (Str1);
   Size2 = StrSize (Str2);
   MaxLen = (Size1 + Size2 + sizeof (CHAR16)) / sizeof (CHAR16);
-  Str   = AllocateCopyPool (MaxLen * sizeof (CHAR16), Str1);
+  Str   = AllocateZeroPool (MaxLen * sizeof (CHAR16));
   ASSERT (Str != NULL);
 
   TmpStr = AllocateZeroPool (MaxLen * sizeof (CHAR16)); 
   ASSERT (TmpStr != NULL);
 
+  StrCatS (Str, MaxLen, Str1);
   if (!((*Str == '\\') && (*(Str + 1) == 0))) {
     StrCatS (Str, MaxLen, L"\\");
   }