From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) (using TLSv1 with cipher CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id A257A1A1F0B for ; Wed, 12 Oct 2016 05:21:34 -0700 (PDT) Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga103.fm.intel.com with ESMTP; 12 Oct 2016 05:21:35 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.31,482,1473145200"; d="scan'208";a="1063788755" Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.34]) by orsmga002.jf.intel.com with ESMTP; 12 Oct 2016 05:21:33 -0700 From: Hao Wu To: edk2-devel@lists.01.org Cc: Hao Wu , Liming Gao , Yonghong Zhu Date: Wed, 12 Oct 2016 20:20:06 +0800 Message-Id: <1476274836-10544-23-git-send-email-hao.a.wu@intel.com> X-Mailer: git-send-email 1.9.5.msysgit.0 In-Reply-To: <1476274836-10544-1-git-send-email-hao.a.wu@intel.com> References: <1476274836-10544-1-git-send-email-hao.a.wu@intel.com> Subject: [PATCH 22/52] BaseTools/GenFv: Fix potential access over array bounds X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2016 12:21:34 -0000 Cc: Liming Gao Cc: Yonghong Zhu Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu --- BaseTools/Source/C/GenFv/GenFv.c | 9 +++-- BaseTools/Source/C/GenFv/GenFvInternalLib.c | 55 +++++++++++++++++++++++++++-- 2 files changed, 59 insertions(+), 5 deletions(-) diff --git a/BaseTools/Source/C/GenFv/GenFv.c b/BaseTools/Source/C/GenFv/GenFv.c index 01ae37a..4de24b9 100644 --- a/BaseTools/Source/C/GenFv/GenFv.c +++ b/BaseTools/Source/C/GenFv/GenFv.c @@ -4,7 +4,7 @@ can be found in the Tiano Firmware Volume Generation Utility Specification, review draft. -Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved.
+Copyright (c) 2007 - 2016, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -337,7 +337,12 @@ Returns: Error (NULL, 0, 1003, "Invalid option value", "Input Ffsfile can't be null"); return STATUS_ERROR; } - strcpy (mFvDataInfo.FvFiles[Index], argv[1]); + if (strlen (argv[1]) > MAX_LONG_FILE_PATH - 1) { + Error (NULL, 0, 1003, "Invalid option value", "Input Ffsfile name %s is too long!", argv[1]); + return STATUS_ERROR; + } + strncpy (mFvDataInfo.FvFiles[Index], argv[1], MAX_LONG_FILE_PATH - 1); + mFvDataInfo.FvFiles[Index][MAX_LONG_FILE_PATH - 1] = 0; DebugMsg (NULL, 0, 9, "FV component file", "the %uth name is %s", (unsigned) Index + 1, argv[1]); argc -= 2; argv += 2; diff --git a/BaseTools/Source/C/GenFv/GenFvInternalLib.c b/BaseTools/Source/C/GenFv/GenFvInternalLib.c index 8c769b4..d7c650e 100644 --- a/BaseTools/Source/C/GenFv/GenFvInternalLib.c +++ b/BaseTools/Source/C/GenFv/GenFvInternalLib.c @@ -374,7 +374,7 @@ Returns: } } - for (Index = 0; Index < MAX_NUMBER_OF_FILES_IN_FV; Index++) { + for (Index = 0; Number + Index < MAX_NUMBER_OF_FILES_IN_FV; Index++) { // // Read the FFS file list // @@ -2418,17 +2418,19 @@ Returns: UINT8 *FvImage; UINTN FvImageSize; FILE *FvFile; - CHAR8 FvMapName [MAX_LONG_FILE_PATH]; + CHAR8 *FvMapName; FILE *FvMapFile; EFI_FIRMWARE_VOLUME_EXT_HEADER *FvExtHeader; FILE *FvExtHeaderFile; UINTN FileSize; - CHAR8 FvReportName[MAX_LONG_FILE_PATH]; + CHAR8 *FvReportName; FILE *FvReportFile; FvBufferHeader = NULL; FvFile = NULL; + FvMapName = NULL; FvMapFile = NULL; + FvReportName = NULL; FvReportFile = NULL; if (InfFileImage != NULL) { @@ -2566,8 +2568,34 @@ Returns: // FvMap file to log the function address of all modules in one Fvimage // if (MapFileName != NULL) { + if (strlen (MapFileName) > MAX_LONG_FILE_PATH - 1) { + Error (NULL, 0, 1003, "Invalid option value", "MapFileName %s is too long!", MapFileName); + Status = EFI_ABORTED; + goto Finish; + } + + FvMapName = malloc (strlen (MapFileName) + 1); + if (FvMapName == NULL) { + Error (NULL, 0, 4001, "Resource", "memory cannot be allocated!"); + Status = EFI_OUT_OF_RESOURCES; + goto Finish; + } + strcpy (FvMapName, MapFileName); } else { + if (strlen (FvFileName) + strlen (".map") > MAX_LONG_FILE_PATH - 1) { + Error (NULL, 0, 1003, "Invalid option value", "FvFileName %s is too long!", FvFileName); + Status = EFI_ABORTED; + goto Finish; + } + + FvMapName = malloc (strlen (FvFileName) + strlen (".map") + 1); + if (FvMapName == NULL) { + Error (NULL, 0, 4001, "Resource", "memory cannot be allocated!"); + Status = EFI_OUT_OF_RESOURCES; + goto Finish; + } + strcpy (FvMapName, FvFileName); strcat (FvMapName, ".map"); } @@ -2576,6 +2604,19 @@ Returns: // // FvReport file to log the FV information in one Fvimage // + if (strlen (FvFileName) + strlen (".txt") > MAX_LONG_FILE_PATH - 1) { + Error (NULL, 0, 1003, "Invalid option value", "FvFileName %s is too long!", FvFileName); + Status = EFI_ABORTED; + goto Finish; + } + + FvReportName = malloc (strlen (FvFileName) + strlen (".txt") + 1); + if (FvReportName == NULL) { + Error (NULL, 0, 4001, "Resource", "memory cannot be allocated!"); + Status = EFI_OUT_OF_RESOURCES; + goto Finish; + } + strcpy (FvReportName, FvFileName); strcat (FvReportName, ".txt"); @@ -2852,6 +2893,14 @@ Finish: if (FvExtHeader != NULL) { free (FvExtHeader); } + + if (FvMapName != NULL) { + free (FvMapName); + } + + if (FvReportName != NULL) { + free (FvReportName); + } if (FvFile != NULL) { fflush (FvFile); -- 1.9.5.msysgit.0