tyler.durden/audk
1
0
Fork 0
mirror of https://github.com/acidanthera/audk.git synced 2025-04-08 17:05:09 +02:00
Code Issues Packages Projects Releases Wiki Activity

MdePkg/BasePrintLib: Avoid reading content beyond the format string

Browse Source 
https://bugzilla.tianocore.org/show_bug.cgi?id=567

In function BasePrintLibSPrintMarker(), when processing ASCII format
strings, if the format string walker pointer 'Format' is pointing at the
end of the format string (i.e. '\0'), the following expression:
*(Format + 1)
will read an undefined value.

Though this value won't affect the functionality, since it will be masked
by variable 'FormatMask':
(*(Format + 1) << 8)) & FormatMask
(FormatMask is 0xff for ASCII format string)

This commit adds additional logic to avoid reading undefined content.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
This commit is contained in:
Hao Wu 2017-05-22 14:49:11 +08:00
parent 4fc8277133
commit b1d4b9651e
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
MdePkg/Library/BasePrintLib/PrintLibInternal.c
View File

@ -653,7 +653,7 @@ BasePrintLibSPrintMarker (
//
// Get the first character from the format string
//
FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask;
FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
//
// Loop until the end of the format string is reached or the output buffer is full
@ -685,7 +685,7 @@ BasePrintLibSPrintMarker (
//
for (Done = FALSE; !Done; ) {
Format += BytesPerFormatCharacter;
FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask;
FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
switch (FormatCharacter) {
case '.':
Flags |= PRECISION;
@ -738,7 +738,7 @@ BasePrintLibSPrintMarker (
for (Count = 0; ((FormatCharacter >= '0') && (FormatCharacter <= '9')); ){
Count = (Count * 10) + FormatCharacter - '0';
Format += BytesPerFormatCharacter;
FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask;
FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
}
Format -= BytesPerFormatCharacter;
if ((Flags & PRECISION) == 0) {
@ -1017,7 +1017,7 @@ BasePrintLibSPrintMarker (
case '\r':
Format += BytesPerFormatCharacter;
FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask;
FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
if (FormatCharacter == '\n') {
//
// Translate '\r\n' to '\r\n'
@ -1038,7 +1038,7 @@ BasePrintLibSPrintMarker (
//
ArgumentString = "\r\n";
Format += BytesPerFormatCharacter;
FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask;
FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
if (FormatCharacter != '\r') {
Format -= BytesPerFormatCharacter;
}
@ -1057,7 +1057,7 @@ BasePrintLibSPrintMarker (
case '\r':
Format += BytesPerFormatCharacter;
FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask;
FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
if (FormatCharacter == '\n') {
//
// Translate '\r\n' to '\r\n'
@ -1078,7 +1078,7 @@ BasePrintLibSPrintMarker (
//
ArgumentString = "\r\n";
Format += BytesPerFormatCharacter;
FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask;
FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
if (FormatCharacter != '\r') {
Format -= BytesPerFormatCharacter;
}
@ -1206,7 +1206,7 @@ BasePrintLibSPrintMarker (
//
// Get the next character from the format string
//
FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask;
FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask;
}
if ((Flags & COUNT_ONLY_NO_PRINT) != 0) {