mirror of https://github.com/acidanthera/audk.git
a7632e913c
Currently the (SecDataDirLeft <= sizeof (WIN_CERTIFICATE)) check only guards the de-referencing of the "WinCertificate" pointer. It does not guard the calculation of the pointer itself: WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet); This is wrong; if we don't know for sure that we have enough room for a WIN_CERTIFICATE, then even creating such a pointer, not just de-referencing it, may invoke undefined behavior. Move the pointer calculation after the size check. Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Min Xu <min.m.xu@intel.com> Cc: Wenyi Xie <xiewenyi2@huawei.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Message-Id: <20200901091221.20948-3-lersek@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Tested-by: Wenyi Xie <xiewenyi2@huawei.com> Reviewed-by: Min M Xu <min.m.xu@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> |
||
|---|---|---|
| .. | ||
| FvReportPei | ||
| Hash2DxeCrypto | ||
| HddPassword | ||
| Include | ||
| Library | ||
| Pkcs7Verify/Pkcs7VerifyDxe | ||
| RandomNumberGenerator/RngDxe | ||
| Tcg | ||
| VariableAuthenticated/SecureBootConfigDxe | ||
| SecurityPkg.ci.yaml | ||
| SecurityPkg.dec | ||
| SecurityPkg.dsc | ||
| SecurityPkg.uni | ||
| SecurityPkgExtra.uni | ||