* [Patch] MdeModulePkg BrotliDecompressLib: Add the checker to avoid array out of bound @ 2018-10-16 7:27 Liming Gao 2018-10-17 8:43 ` Zeng, Star 0 siblings, 1 reply; 4+ messages in thread From: Liming Gao @ 2018-10-16 7:27 UTC (permalink / raw) To: edk2-devel Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Liming Gao <liming.gao@intel.com> --- MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c b/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c index fd42b3b..f3b3cb8 100644 --- a/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c +++ b/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c @@ -858,6 +858,7 @@ static BROTLI_INLINE uint32_t ReadBlockLength(const HuffmanCode* table, uint32_t code; uint32_t nbits; code = ReadSymbol(table, br); + ASSERT (code < BROTLI_NUM_BLOCK_LEN_SYMBOLS); nbits = kBlockLengthPrefixCode[code].nbits; /* nbits == 2..24 */ return kBlockLengthPrefixCode[code].offset + BrotliReadBits(br, nbits); } @@ -910,6 +911,7 @@ static BROTLI_NOINLINE void InverseMoveToFrontTransform( uint32_t upper_bound = state->mtf_upper_bound; uint32_t* mtf = &state->mtf[1]; /* Make mtf[-1] addressable. */ uint8_t* mtf_u8 = (uint8_t*)mtf; + uint8_t* mtf_u8t = mtf_u8 - 1; /* Load endian-aware constant. */ const uint8_t b0123[4] = {0, 1, 2, 3}; uint32_t pattern; @@ -928,13 +930,13 @@ static BROTLI_NOINLINE void InverseMoveToFrontTransform( for (i = 0; i < v_len; ++i) { int index = v[i]; uint8_t value = mtf_u8[index]; - upper_bound |= v[i]; + upper_bound |= (uint32_t) v[i]; v[i] = value; - mtf_u8[-1] = value; - do { + mtf_u8t[0] = value; + while (index >= 0) { + mtf_u8t[index + 1] = mtf_u8t[index]; index--; - mtf_u8[index + 1] = mtf_u8[index]; - } while (index >= 0); + } } /* Remember amount of elements to be reinitialized. */ state->mtf_upper_bound = upper_bound >> 2; @@ -1566,6 +1568,7 @@ static BROTLI_INLINE BROTLI_BOOL ReadCommandInternal( BrotliBitReaderState memento; if (!safe) { cmd_code = ReadSymbol(s->htree_command, br); + ASSERT (cmd_code < BROTLI_NUM_COMMAND_SYMBOLS); } else { BrotliBitReaderSaveState(br, &memento); if (!SafeReadSymbol(s->htree_command, br, &cmd_code)) { -- 2.10.0.windows.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Patch] MdeModulePkg BrotliDecompressLib: Add the checker to avoid array out of bound 2018-10-16 7:27 [Patch] MdeModulePkg BrotliDecompressLib: Add the checker to avoid array out of bound Liming Gao @ 2018-10-17 8:43 ` Zeng, Star 2018-10-17 8:45 ` Zeng, Star 0 siblings, 1 reply; 4+ messages in thread From: Zeng, Star @ 2018-10-17 8:43 UTC (permalink / raw) To: Gao, Liming, edk2-devel@lists.01.org; +Cc: Zeng, Star Reviewed-by: Star Zeng <star.zeng@intel.com> Thanks, Star -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Liming Gao Sent: Tuesday, October 16, 2018 3:27 PM To: edk2-devel@lists.01.org Subject: [edk2] [Patch] MdeModulePkg BrotliDecompressLib: Add the checker to avoid array out of bound Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Liming Gao <liming.gao@intel.com> --- MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c b/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c index fd42b3b..f3b3cb8 100644 --- a/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c +++ b/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c @@ -858,6 +858,7 @@ static BROTLI_INLINE uint32_t ReadBlockLength(const HuffmanCode* table, uint32_t code; uint32_t nbits; code = ReadSymbol(table, br); + ASSERT (code < BROTLI_NUM_BLOCK_LEN_SYMBOLS); nbits = kBlockLengthPrefixCode[code].nbits; /* nbits == 2..24 */ return kBlockLengthPrefixCode[code].offset + BrotliReadBits(br, nbits); } @@ -910,6 +911,7 @@ static BROTLI_NOINLINE void InverseMoveToFrontTransform( uint32_t upper_bound = state->mtf_upper_bound; uint32_t* mtf = &state->mtf[1]; /* Make mtf[-1] addressable. */ uint8_t* mtf_u8 = (uint8_t*)mtf; + uint8_t* mtf_u8t = mtf_u8 - 1; /* Load endian-aware constant. */ const uint8_t b0123[4] = {0, 1, 2, 3}; uint32_t pattern; @@ -928,13 +930,13 @@ static BROTLI_NOINLINE void InverseMoveToFrontTransform( for (i = 0; i < v_len; ++i) { int index = v[i]; uint8_t value = mtf_u8[index]; - upper_bound |= v[i]; + upper_bound |= (uint32_t) v[i]; v[i] = value; - mtf_u8[-1] = value; - do { + mtf_u8t[0] = value; + while (index >= 0) { + mtf_u8t[index + 1] = mtf_u8t[index]; index--; - mtf_u8[index + 1] = mtf_u8[index]; - } while (index >= 0); + } } /* Remember amount of elements to be reinitialized. */ state->mtf_upper_bound = upper_bound >> 2; @@ -1566,6 +1568,7 @@ static BROTLI_INLINE BROTLI_BOOL ReadCommandInternal( BrotliBitReaderState memento; if (!safe) { cmd_code = ReadSymbol(s->htree_command, br); + ASSERT (cmd_code < BROTLI_NUM_COMMAND_SYMBOLS); } else { BrotliBitReaderSaveState(br, &memento); if (!SafeReadSymbol(s->htree_command, br, &cmd_code)) { -- 2.10.0.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Patch] MdeModulePkg BrotliDecompressLib: Add the checker to avoid array out of bound 2018-10-17 8:43 ` Zeng, Star @ 2018-10-17 8:45 ` Zeng, Star 2018-10-17 13:02 ` Gao, Liming 0 siblings, 1 reply; 4+ messages in thread From: Zeng, Star @ 2018-10-17 8:45 UTC (permalink / raw) To: Gao, Liming, edk2-devel@lists.01.org; +Cc: Zeng, Star Liming, They are reported by some static analysis tool, right? I think you add some information about it in the commit log. You can do that when pushing the patch. Thanks, Star -----Original Message----- From: Zeng, Star Sent: Wednesday, October 17, 2018 4:43 PM To: Gao, Liming <liming.gao@intel.com>; edk2-devel@lists.01.org Cc: Zeng, Star <star.zeng@intel.com> Subject: RE: [edk2] [Patch] MdeModulePkg BrotliDecompressLib: Add the checker to avoid array out of bound Reviewed-by: Star Zeng <star.zeng@intel.com> Thanks, Star -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Liming Gao Sent: Tuesday, October 16, 2018 3:27 PM To: edk2-devel@lists.01.org Subject: [edk2] [Patch] MdeModulePkg BrotliDecompressLib: Add the checker to avoid array out of bound Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Liming Gao <liming.gao@intel.com> --- MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c b/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c index fd42b3b..f3b3cb8 100644 --- a/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c +++ b/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c @@ -858,6 +858,7 @@ static BROTLI_INLINE uint32_t ReadBlockLength(const HuffmanCode* table, uint32_t code; uint32_t nbits; code = ReadSymbol(table, br); + ASSERT (code < BROTLI_NUM_BLOCK_LEN_SYMBOLS); nbits = kBlockLengthPrefixCode[code].nbits; /* nbits == 2..24 */ return kBlockLengthPrefixCode[code].offset + BrotliReadBits(br, nbits); } @@ -910,6 +911,7 @@ static BROTLI_NOINLINE void InverseMoveToFrontTransform( uint32_t upper_bound = state->mtf_upper_bound; uint32_t* mtf = &state->mtf[1]; /* Make mtf[-1] addressable. */ uint8_t* mtf_u8 = (uint8_t*)mtf; + uint8_t* mtf_u8t = mtf_u8 - 1; /* Load endian-aware constant. */ const uint8_t b0123[4] = {0, 1, 2, 3}; uint32_t pattern; @@ -928,13 +930,13 @@ static BROTLI_NOINLINE void InverseMoveToFrontTransform( for (i = 0; i < v_len; ++i) { int index = v[i]; uint8_t value = mtf_u8[index]; - upper_bound |= v[i]; + upper_bound |= (uint32_t) v[i]; v[i] = value; - mtf_u8[-1] = value; - do { + mtf_u8t[0] = value; + while (index >= 0) { + mtf_u8t[index + 1] = mtf_u8t[index]; index--; - mtf_u8[index + 1] = mtf_u8[index]; - } while (index >= 0); + } } /* Remember amount of elements to be reinitialized. */ state->mtf_upper_bound = upper_bound >> 2; @@ -1566,6 +1568,7 @@ static BROTLI_INLINE BROTLI_BOOL ReadCommandInternal( BrotliBitReaderState memento; if (!safe) { cmd_code = ReadSymbol(s->htree_command, br); + ASSERT (cmd_code < BROTLI_NUM_COMMAND_SYMBOLS); } else { BrotliBitReaderSaveState(br, &memento); if (!SafeReadSymbol(s->htree_command, br, &cmd_code)) { -- 2.10.0.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Patch] MdeModulePkg BrotliDecompressLib: Add the checker to avoid array out of bound 2018-10-17 8:45 ` Zeng, Star @ 2018-10-17 13:02 ` Gao, Liming 0 siblings, 0 replies; 4+ messages in thread From: Gao, Liming @ 2018-10-17 13:02 UTC (permalink / raw) To: Zeng, Star, edk2-devel@lists.01.org Yes. I will add those information. Thanks! > -----Original Message----- > From: Zeng, Star > Sent: Wednesday, October 17, 2018 4:45 PM > To: Gao, Liming <liming.gao@intel.com>; edk2-devel@lists.01.org > Cc: Zeng, Star <star.zeng@intel.com> > Subject: RE: [edk2] [Patch] MdeModulePkg BrotliDecompressLib: Add the checker to avoid array out of bound > > Liming, > > They are reported by some static analysis tool, right? > I think you add some information about it in the commit log. You can do that when pushing the patch. > > Thanks, > Star > -----Original Message----- > From: Zeng, Star > Sent: Wednesday, October 17, 2018 4:43 PM > To: Gao, Liming <liming.gao@intel.com>; edk2-devel@lists.01.org > Cc: Zeng, Star <star.zeng@intel.com> > Subject: RE: [edk2] [Patch] MdeModulePkg BrotliDecompressLib: Add the checker to avoid array out of bound > > Reviewed-by: Star Zeng <star.zeng@intel.com> > > > Thanks, > Star > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Liming Gao > Sent: Tuesday, October 16, 2018 3:27 PM > To: edk2-devel@lists.01.org > Subject: [edk2] [Patch] MdeModulePkg BrotliDecompressLib: Add the checker to avoid array out of bound > > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Liming Gao <liming.gao@intel.com> > --- > MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c | 13 ++++++++----- > 1 file changed, 8 insertions(+), 5 deletions(-) > > diff --git a/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c > b/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c > index fd42b3b..f3b3cb8 100644 > --- a/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c > +++ b/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c > @@ -858,6 +858,7 @@ static BROTLI_INLINE uint32_t ReadBlockLength(const HuffmanCode* table, > uint32_t code; > uint32_t nbits; > code = ReadSymbol(table, br); > + ASSERT (code < BROTLI_NUM_BLOCK_LEN_SYMBOLS); > nbits = kBlockLengthPrefixCode[code].nbits; /* nbits == 2..24 */ > return kBlockLengthPrefixCode[code].offset + BrotliReadBits(br, nbits); } @@ -910,6 +911,7 @@ static BROTLI_NOINLINE void > InverseMoveToFrontTransform( > uint32_t upper_bound = state->mtf_upper_bound; > uint32_t* mtf = &state->mtf[1]; /* Make mtf[-1] addressable. */ > uint8_t* mtf_u8 = (uint8_t*)mtf; > + uint8_t* mtf_u8t = mtf_u8 - 1; > /* Load endian-aware constant. */ > const uint8_t b0123[4] = {0, 1, 2, 3}; > uint32_t pattern; > @@ -928,13 +930,13 @@ static BROTLI_NOINLINE void InverseMoveToFrontTransform( > for (i = 0; i < v_len; ++i) { > int index = v[i]; > uint8_t value = mtf_u8[index]; > - upper_bound |= v[i]; > + upper_bound |= (uint32_t) v[i]; > v[i] = value; > - mtf_u8[-1] = value; > - do { > + mtf_u8t[0] = value; > + while (index >= 0) { > + mtf_u8t[index + 1] = mtf_u8t[index]; > index--; > - mtf_u8[index + 1] = mtf_u8[index]; > - } while (index >= 0); > + } > } > /* Remember amount of elements to be reinitialized. */ > state->mtf_upper_bound = upper_bound >> 2; @@ -1566,6 +1568,7 @@ static BROTLI_INLINE BROTLI_BOOL > ReadCommandInternal( > BrotliBitReaderState memento; > if (!safe) { > cmd_code = ReadSymbol(s->htree_command, br); > + ASSERT (cmd_code < BROTLI_NUM_COMMAND_SYMBOLS); > } else { > BrotliBitReaderSaveState(br, &memento); > if (!SafeReadSymbol(s->htree_command, br, &cmd_code)) { > -- > 2.10.0.windows.1 > > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-10-17 13:02 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-10-16 7:27 [Patch] MdeModulePkg BrotliDecompressLib: Add the checker to avoid array out of bound Liming Gao 2018-10-17 8:43 ` Zeng, Star 2018-10-17 8:45 ` Zeng, Star 2018-10-17 13:02 ` Gao, Liming
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox