From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) (using TLSv1 with cipher CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id E20B51A1EFA for ; Wed, 12 Oct 2016 05:21:31 -0700 (PDT) Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga103.fm.intel.com with ESMTP; 12 Oct 2016 05:21:33 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.31,482,1473145200"; d="scan'208";a="1063788734" Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.34]) by orsmga002.jf.intel.com with ESMTP; 12 Oct 2016 05:21:30 -0700 From: Hao Wu To: edk2-devel@lists.01.org Cc: Hao Wu , Liming Gao , Yonghong Zhu Date: Wed, 12 Oct 2016 20:20:04 +0800 Message-Id: <1476274836-10544-21-git-send-email-hao.a.wu@intel.com> X-Mailer: git-send-email 1.9.5.msysgit.0 In-Reply-To: <1476274836-10544-1-git-send-email-hao.a.wu@intel.com> References: <1476274836-10544-1-git-send-email-hao.a.wu@intel.com> Subject: [PATCH 20/52] BaseTools/C/Common: Fix potential access over array bounds X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2016 12:21:32 -0000 Cc: Liming Gao Cc: Yonghong Zhu Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu --- BaseTools/Source/C/Common/CommonLib.c | 8 ++++++-- BaseTools/Source/C/Common/Decompress.c | 7 +++++-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/BaseTools/Source/C/Common/CommonLib.c b/BaseTools/Source/C/Common/CommonLib.c index 2d07dfc..2f0aecf 100644 --- a/BaseTools/Source/C/Common/CommonLib.c +++ b/BaseTools/Source/C/Common/CommonLib.c @@ -1,7 +1,7 @@ /** @file Common basic Library Functions -Copyright (c) 2004 - 2014, Intel Corporation. All rights reserved.
+Copyright (c) 2004 - 2016, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -652,7 +652,11 @@ Returns: // // Construct the full file path // - strcat (mCommonLibFullPath, FileName); + if (strlen (mCommonLibFullPath) + strlen (FileName) > MAX_LONG_FILE_PATH - 1) { + Error (NULL, 0, 2000, "Invalid parameter", "FileName %s is too long!", FileName); + return NULL; + } + strncat (mCommonLibFullPath, FileName, MAX_LONG_FILE_PATH - strlen (mCommonLibFullPath) - 1); // // Convert directory separator '/' to '\\' diff --git a/BaseTools/Source/C/Common/Decompress.c b/BaseTools/Source/C/Common/Decompress.c index 48578ea..5768c86 100644 --- a/BaseTools/Source/C/Common/Decompress.c +++ b/BaseTools/Source/C/Common/Decompress.c @@ -2,7 +2,7 @@ Decompressor. Algorithm Ported from OPSD code (Decomp.asm) for Efi and Tiano compress algorithm. -Copyright (c) 2004 - 2014, Intel Corporation. All rights reserved.
+Copyright (c) 2004 - 2016, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -15,6 +15,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include #include +#include #include "Decompress.h" // @@ -240,7 +241,7 @@ Returns: for (Char = 0; Char < NumOfChar; Char++) { Len = BitLen[Char]; - if (Len == 0) { + if (Len == 0 || Len >= 17) { continue; } @@ -373,6 +374,8 @@ Returns: UINT16 Index; UINT32 Mask; + assert (nn <= NPT); + Number = (UINT16) GetBits (Sd, nbit); if (Number == 0) { -- 1.9.5.msysgit.0