From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 8391D21939230 for ; Mon, 10 Apr 2017 19:17:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=intel.com; i=@intel.com; q=dns/txt; s=intel; t=1491877049; x=1523413049; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=EJ1UL4B+gJEIy+1j56IDVo6AATT0JuQ+3Nllaz8Z4DQ=; b=T1xrMtyyrEtrO9PeWlo+xnE4BLaFv1hDPd4ypC8MaJxRFmhCHNEqIBMW iNB+A8+9Z+xemHY3ZmYJVFHWE9f7XA==; Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Apr 2017 19:17:29 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.37,184,1488873600"; d="scan'208";a="1117994657" Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.13]) by orsmga001.jf.intel.com with ESMTP; 10 Apr 2017 19:17:28 -0700 From: Hao Wu To: edk2-devel@lists.01.org Cc: Hao Wu , Liming Gao Date: Tue, 11 Apr 2017 10:17:23 +0800 Message-Id: <20170411021724.16688-2-hao.a.wu@intel.com> X-Mailer: git-send-email 2.12.0.windows.1 In-Reply-To: <20170411021724.16688-1-hao.a.wu@intel.com> References: <20170411021724.16688-1-hao.a.wu@intel.com> Subject: [PATCH 1/2] MdePkg/UefiLib: Avoid mis-calculate of graphic console size X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Apr 2017 02:17:29 -0000 The commit adds check in function InternalPrintGraphic() to ensure that the expression: Blt->Width * Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) will not overflow in the UINTN range. The commit also adds an explicit UINT32 type cast for 'Blt->Width' to avoid possible overflow in the int range for: Blt->Width * Blt->Height Since both Blt->Width and Blt->Height are of type UINT16. They will be promoted to int (signed) first, and then perform the multiplication operation. If the result of multiplication between Blt->Width and Blt->Height exceeds the range of type int, a potential incorrect size will be passed into funciton AllocateZeroPool(). Cc: Liming Gao Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu --- MdePkg/Library/UefiLib/UefiLibPrint.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/MdePkg/Library/UefiLib/UefiLibPrint.c b/MdePkg/Library/UefiLib/UefiLibPrint.c index 9f52e7d0ce..5527f8e7a8 100644 --- a/MdePkg/Library/UefiLib/UefiLibPrint.c +++ b/MdePkg/Library/UefiLib/UefiLibPrint.c @@ -2,7 +2,7 @@ Mde UEFI library API implementation. Print to StdErr or ConOut defined in EFI_SYSTEM_TABLE - Copyright (c) 2007 - 2015, Intel Corporation. All rights reserved.
+ Copyright (c) 2007 - 2017, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -474,7 +474,14 @@ InternalPrintGraphic ( } else if (FeaturePcdGet (PcdUgaConsumeSupport)) { ASSERT (UgaDraw!= NULL); - Blt->Image.Bitmap = AllocateZeroPool (Blt->Width * Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)); + // + // Ensure Width * Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow. + // + if (Blt->Width > DivU64x32 (MAX_UINTN, Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL))) { + goto Error; + } + + Blt->Image.Bitmap = AllocateZeroPool ((UINT32) Blt->Width * Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)); ASSERT (Blt->Image.Bitmap != NULL); // -- 2.12.0.windows.1