From: Hao Wu <hao.a.wu@intel.com>
To: edk2-devel@lists.01.org
Cc: Hao Wu <hao.a.wu@intel.com>, Liming Gao <liming.gao@intel.com>
Subject: [PATCH 2/2] IntelFrameworkPkg/UefiLib: Avoid mis-calculate of graphic console size
Date: Tue, 11 Apr 2017 10:17:24 +0800 [thread overview]
Message-ID: <20170411021724.16688-3-hao.a.wu@intel.com> (raw)
In-Reply-To: <20170411021724.16688-1-hao.a.wu@intel.com>
The commit adds check in function InternalPrintGraphic() to ensure that
the expression:
Blt->Width * Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)
will not overflow in the UINTN range.
The commit also adds an explicit UINT32 type cast for 'Blt->Width' to
avoid possible overflow in the int range for:
Blt->Width * Blt->Height
Since both Blt->Width and Blt->Height are of type UINT16. They will be
promoted to int (signed) first, and then perform the multiplication
operation. If the result of multiplication between Blt->Width and
Blt->Height exceeds the range of type int, a potential incorrect size will
be passed into funciton AllocateZeroPool().
Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
---
IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c b/IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c
index f0dcf9fb25..6f06efbe05 100644
--- a/IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c
+++ b/IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c
@@ -2,7 +2,7 @@
Mde UEFI library API implementation.
Print to StdErr or ConOut defined in EFI_SYSTEM_TABLE
- Copyright (c) 2007 - 2015, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2007 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -474,7 +474,14 @@ InternalPrintGraphic (
} else if (FeaturePcdGet (PcdUgaConsumeSupport)) {
ASSERT (UgaDraw!= NULL);
- Blt->Image.Bitmap = AllocateZeroPool (Blt->Width * Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));
+ //
+ // Ensure Width * Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow.
+ //
+ if (Blt->Width > DivU64x32 (MAX_UINTN, Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL))) {
+ goto Error;
+ }
+
+ Blt->Image.Bitmap = AllocateZeroPool ((UINT32) Blt->Width * Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));
ASSERT (Blt->Image.Bitmap != NULL);
//
--
2.12.0.windows.1
next prev parent reply other threads:[~2017-04-11 2:17 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-11 2:17 [PATCH 0/2] UefiLib: Avoid mis-calculate of graphic console size Hao Wu
2017-04-11 2:17 ` [PATCH 1/2] MdePkg/UefiLib: " Hao Wu
2017-04-14 4:47 ` Gao, Liming
2017-04-11 2:17 ` Hao Wu [this message]
2017-04-14 4:47 ` [PATCH 2/2] IntelFrameworkPkg/UefiLib: " Gao, Liming
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170411021724.16688-3-hao.a.wu@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox