From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.20; helo=mga02.intel.com; envelope-from=liming.gao@intel.com; receiver=edk2-devel@lists.01.org Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 4B7F2211799CC for ; Tue, 16 Oct 2018 00:28:39 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Oct 2018 00:28:38 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,387,1534834800"; d="scan'208";a="88675111" Received: from shwde7172.ccr.corp.intel.com ([10.239.158.23]) by FMSMGA003.fm.intel.com with ESMTP; 16 Oct 2018 00:28:38 -0700 From: Liming Gao To: edk2-devel@lists.01.org Date: Tue, 16 Oct 2018 15:27:15 +0800 Message-Id: <1539674835-8860-1-git-send-email-liming.gao@intel.com> X-Mailer: git-send-email 2.8.0.windows.1 Subject: [Patch] MdeModulePkg BrotliDecompressLib: Add the checker to avoid array out of bound X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Oct 2018 07:28:39 -0000 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Liming Gao --- MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c b/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c index fd42b3b..f3b3cb8 100644 --- a/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c +++ b/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c @@ -858,6 +858,7 @@ static BROTLI_INLINE uint32_t ReadBlockLength(const HuffmanCode* table, uint32_t code; uint32_t nbits; code = ReadSymbol(table, br); + ASSERT (code < BROTLI_NUM_BLOCK_LEN_SYMBOLS); nbits = kBlockLengthPrefixCode[code].nbits; /* nbits == 2..24 */ return kBlockLengthPrefixCode[code].offset + BrotliReadBits(br, nbits); } @@ -910,6 +911,7 @@ static BROTLI_NOINLINE void InverseMoveToFrontTransform( uint32_t upper_bound = state->mtf_upper_bound; uint32_t* mtf = &state->mtf[1]; /* Make mtf[-1] addressable. */ uint8_t* mtf_u8 = (uint8_t*)mtf; + uint8_t* mtf_u8t = mtf_u8 - 1; /* Load endian-aware constant. */ const uint8_t b0123[4] = {0, 1, 2, 3}; uint32_t pattern; @@ -928,13 +930,13 @@ static BROTLI_NOINLINE void InverseMoveToFrontTransform( for (i = 0; i < v_len; ++i) { int index = v[i]; uint8_t value = mtf_u8[index]; - upper_bound |= v[i]; + upper_bound |= (uint32_t) v[i]; v[i] = value; - mtf_u8[-1] = value; - do { + mtf_u8t[0] = value; + while (index >= 0) { + mtf_u8t[index + 1] = mtf_u8t[index]; index--; - mtf_u8[index + 1] = mtf_u8[index]; - } while (index >= 0); + } } /* Remember amount of elements to be reinitialized. */ state->mtf_upper_bound = upper_bound >> 2; @@ -1566,6 +1568,7 @@ static BROTLI_INLINE BROTLI_BOOL ReadCommandInternal( BrotliBitReaderState memento; if (!safe) { cmd_code = ReadSymbol(s->htree_command, br); + ASSERT (cmd_code < BROTLI_NUM_COMMAND_SYMBOLS); } else { BrotliBitReaderSaveState(br, &memento); if (!SafeReadSymbol(s->htree_command, br, &cmd_code)) { -- 2.10.0.windows.1