From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 1739120D764AD for ; Mon, 10 Apr 2017 19:17:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=intel.com; i=@intel.com; q=dns/txt; s=intel; t=1491877051; x=1523413051; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=jdoyghb8PIUutKjc4yH9gFcbc4lEYQgQY/AH2iHZrvU=; b=Z/LTWNcu41J1TNgr+IoasN8wPrEXHfyfQnMi36K1pw0ZHYiC2UosfIV6 WRf9W+yiK5oh4vREp+VFqJ3hJ0zVBQ==; Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Apr 2017 19:17:30 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.37,184,1488873600"; d="scan'208";a="1117994664" Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.13]) by orsmga001.jf.intel.com with ESMTP; 10 Apr 2017 19:17:29 -0700 From: Hao Wu To: edk2-devel@lists.01.org Cc: Hao Wu , Liming Gao Date: Tue, 11 Apr 2017 10:17:24 +0800 Message-Id: <20170411021724.16688-3-hao.a.wu@intel.com> X-Mailer: git-send-email 2.12.0.windows.1 In-Reply-To: <20170411021724.16688-1-hao.a.wu@intel.com> References: <20170411021724.16688-1-hao.a.wu@intel.com> Subject: [PATCH 2/2] IntelFrameworkPkg/UefiLib: Avoid mis-calculate of graphic console size X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Apr 2017 02:17:31 -0000 The commit adds check in function InternalPrintGraphic() to ensure that the expression: Blt->Width * Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) will not overflow in the UINTN range. The commit also adds an explicit UINT32 type cast for 'Blt->Width' to avoid possible overflow in the int range for: Blt->Width * Blt->Height Since both Blt->Width and Blt->Height are of type UINT16. They will be promoted to int (signed) first, and then perform the multiplication operation. If the result of multiplication between Blt->Width and Blt->Height exceeds the range of type int, a potential incorrect size will be passed into funciton AllocateZeroPool(). Cc: Liming Gao Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu --- IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c b/IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c index f0dcf9fb25..6f06efbe05 100644 --- a/IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c +++ b/IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c @@ -2,7 +2,7 @@ Mde UEFI library API implementation. Print to StdErr or ConOut defined in EFI_SYSTEM_TABLE - Copyright (c) 2007 - 2015, Intel Corporation. All rights reserved.
+ Copyright (c) 2007 - 2017, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -474,7 +474,14 @@ InternalPrintGraphic ( } else if (FeaturePcdGet (PcdUgaConsumeSupport)) { ASSERT (UgaDraw!= NULL); - Blt->Image.Bitmap = AllocateZeroPool (Blt->Width * Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)); + // + // Ensure Width * Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow. + // + if (Blt->Width > DivU64x32 (MAX_UINTN, Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL))) { + goto Error; + } + + Blt->Image.Bitmap = AllocateZeroPool ((UINT32) Blt->Width * Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)); ASSERT (Blt->Image.Bitmap != NULL); // -- 2.12.0.windows.1