tyler.durden/audk
1
0
Fork 0
mirror of https://github.com/acidanthera/audk.git synced 2025-10-31 11:13:53 +01:00
Code Issues Packages Projects Releases Wiki Activity

IntelFrameworkModulePkg BootMaint: Fix potential read over memory boundary

Browse Source 
This commit will resolve the issue brought by r17736.

Str   = AllocateCopyPool (MaxLen * sizeof (CHAR16), Str1);

The above using of AllocateCopyPool() will read contents out of the scope
of Str1. Potential risk for Str1 allocated at the boundary of memory
region.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Qiu Shumin <shumin.qiu@intel.com>
Reviewed-by: Jeff Fan <jeff.fan@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17931 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
Hao Wu 2015-07-13 01:23:14 +00:00 committed by hwu1225
parent 83daa931dc
commit a3c9617ea6
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
IntelFrameworkModulePkg/Universal/BdsDxe/BootMaint/BootOption.c
View File

@ -1096,12 +1096,13 @@ BOpt_AppendFileName (
Size1 = StrSize (Str1); Size1 = StrSize (Str1);
Size2 = StrSize (Str2); Size2 = StrSize (Str2);
MaxLen = (Size1 + Size2 + sizeof (CHAR16)) / sizeof (CHAR16); MaxLen = (Size1 + Size2 + sizeof (CHAR16)) / sizeof (CHAR16);
Str = AllocateCopyPool (MaxLen * sizeof (CHAR16), Str1); Str = AllocateZeroPool (MaxLen * sizeof (CHAR16));
ASSERT (Str != NULL); ASSERT (Str != NULL);
TmpStr = AllocateZeroPool (MaxLen * sizeof (CHAR16)); TmpStr = AllocateZeroPool (MaxLen * sizeof (CHAR16));
ASSERT (TmpStr != NULL); ASSERT (TmpStr != NULL);
StrCatS (Str, MaxLen, Str1);
if (!((*Str == '\\') && (*(Str + 1) == 0))) { if (!((*Str == '\\') && (*(Str + 1) == 0))) {
StrCatS (Str, MaxLen, L"\\"); StrCatS (Str, MaxLen, L"\\");
} }