From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <hao.a.wu@intel.com>
Received: from mga09.intel.com (mga09.intel.com [134.134.136.24])
 (using TLSv1 with cipher CAMELLIA256-SHA (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 61CCD81D87
 for <edk2-devel@lists.01.org>; Thu,  3 Nov 2016 00:23:44 -0700 (PDT)
Received: from orsmga003.jf.intel.com ([10.7.209.27])
 by orsmga102.jf.intel.com with ESMTP; 03 Nov 2016 00:23:46 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.31,585,1473145200"; d="scan'208";a="897185148"
Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.34])
 by orsmga003.jf.intel.com with ESMTP; 03 Nov 2016 00:23:43 -0700
From: Hao Wu <hao.a.wu@intel.com>
To: edk2-devel@lists.01.org
Cc: Hao Wu <hao.a.wu@intel.com>, Liming Gao <liming.gao@intel.com>,
 Yonghong Zhu <yonghong.zhu@intel.com>, Eric Dong <eric.dong@intel.com>,
 Dandan Bi <dandan.bi@intel.com>
Date: Thu,  3 Nov 2016 15:22:32 +0800
Message-Id: <1478157783-9368-23-git-send-email-hao.a.wu@intel.com>
X-Mailer: git-send-email 1.9.5.msysgit.0
In-Reply-To: <1478157783-9368-1-git-send-email-hao.a.wu@intel.com>
References: <1478157783-9368-1-git-send-email-hao.a.wu@intel.com>
Subject: [PATCH v2 22/53] BaseTools/VfrCompile: Add checks for array access
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2016 07:23:44 -0000

Cc: Liming Gao <liming.gao@intel.com>
Cc: Yonghong Zhu <yonghong.zhu@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Dandan Bi <dandan.bi@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
---
 BaseTools/Source/C/VfrCompile/Pccts/h/DLexer.h  | 3 +++
 BaseTools/Source/C/VfrCompile/VfrUtilityLib.cpp | 8 ++++++++
 2 files changed, 11 insertions(+)

diff --git a/BaseTools/Source/C/VfrCompile/Pccts/h/DLexer.h b/BaseTools/Source/C/VfrCompile/Pccts/h/DLexer.h
index 37cac24..f15bff1 100644
--- a/BaseTools/Source/C/VfrCompile/Pccts/h/DLexer.h
+++ b/BaseTools/Source/C/VfrCompile/Pccts/h/DLexer.h
@@ -30,6 +30,8 @@
  * 1989-2000
  */
 
+#include <assert.h>
+
 #define ZZINC {if ( track_columns ) (++_endcol);}
 
 #define ZZGETC {ch = input->nextChar(); cl = ZZSHIFT(ch);}
@@ -114,6 +116,7 @@ more:
 		state = dfa_base[automaton];
 		while (ZZNEWSTATE != DfaStates) {
 			state = newstate;
+            assert(state <= sizeof(dfa)/sizeof(dfa[0]));
 			ZZCOPY;
 			ZZGETC;
 			ZZINC;
diff --git a/BaseTools/Source/C/VfrCompile/VfrUtilityLib.cpp b/BaseTools/Source/C/VfrCompile/VfrUtilityLib.cpp
index 1ab95be..24b0bfa 100644
--- a/BaseTools/Source/C/VfrCompile/VfrUtilityLib.cpp
+++ b/BaseTools/Source/C/VfrCompile/VfrUtilityLib.cpp
@@ -1474,6 +1474,10 @@ CVfrDataStorage::GetFreeVarStoreId (
     }
   }
 
+  if (Index == EFI_FREE_VARSTORE_ID_BITMAP_SIZE) {
+    return EFI_VARSTORE_ID_INVALID;
+  }
+
   for (Offset = 0, Mask = 0x80000000; Mask != 0; Mask >>= 1, Offset++) {
     if ((mFreeVarStoreIdBitMap[Index] & Mask) == 0) {
       mFreeVarStoreIdBitMap[Index] |= Mask;
@@ -2437,6 +2441,10 @@ CVfrQuestionDB::GetFreeQuestionId (
     }
   }
 
+  if (Index == EFI_FREE_QUESTION_ID_BITMAP_SIZE) {
+    return EFI_QUESTION_ID_INVALID;
+  }
+
   for (Offset = 0, Mask = 0x80000000; Mask != 0; Mask >>= 1, Offset++) {
     if ((mFreeQIdBitMap[Index] & Mask) == 0) {
       mFreeQIdBitMap[Index] |= Mask;
-- 
1.9.5.msysgit.0