From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 2223921AE3CD9 for ; Tue, 30 May 2017 23:12:27 -0700 (PDT) Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 May 2017 23:13:27 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.38,422,1491289200"; d="scan'208";a="108548396" Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.13]) by fmsmga005.fm.intel.com with ESMTP; 30 May 2017 23:13:25 -0700 From: Hao Wu To: edk2-devel@lists.01.org Cc: Hao Wu , Jiewen Yao , Liming Gao , Michael Kinney Date: Wed, 31 May 2017 14:13:18 +0800 Message-Id: <20170531061319.21976-2-hao.a.wu@intel.com> X-Mailer: git-send-email 2.12.0.windows.1 In-Reply-To: <20170531061319.21976-1-hao.a.wu@intel.com> References: <20170531061319.21976-1-hao.a.wu@intel.com> Subject: [PATCH v2 1/2] MdePkg/BasePrintLib: Avoid reading content beyond the format string X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 May 2017 06:12:27 -0000 https://bugzilla.tianocore.org/show_bug.cgi?id=567 In function BasePrintLibSPrintMarker(), when processing ASCII format strings, if the format string walker pointer 'Format' is pointing at the end of the format string (i.e. '\0'), the following expression: *(Format + 1) will read an undefined value. Though this value won't affect the functionality, since it will be masked by variable 'FormatMask': (*(Format + 1) << 8)) & FormatMask (FormatMask is 0xff for ASCII format string) This commit adds additional logic to avoid reading undefined content. Cc: Jiewen Yao Cc: Liming Gao Cc: Michael Kinney Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu --- MdePkg/Library/BasePrintLib/PrintLibInternal.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/MdePkg/Library/BasePrintLib/PrintLibInternal.c b/MdePkg/Library/BasePrintLib/PrintLibInternal.c index 9b15a07ac0..cec5b3bc99 100644 --- a/MdePkg/Library/BasePrintLib/PrintLibInternal.c +++ b/MdePkg/Library/BasePrintLib/PrintLibInternal.c @@ -653,7 +653,7 @@ BasePrintLibSPrintMarker ( // // Get the first character from the format string // - FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask; // // Loop until the end of the format string is reached or the output buffer is full @@ -685,7 +685,7 @@ BasePrintLibSPrintMarker ( // for (Done = FALSE; !Done; ) { Format += BytesPerFormatCharacter; - FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask; switch (FormatCharacter) { case '.': Flags |= PRECISION; @@ -738,7 +738,7 @@ BasePrintLibSPrintMarker ( for (Count = 0; ((FormatCharacter >= '0') && (FormatCharacter <= '9')); ){ Count = (Count * 10) + FormatCharacter - '0'; Format += BytesPerFormatCharacter; - FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask; } Format -= BytesPerFormatCharacter; if ((Flags & PRECISION) == 0) { @@ -1017,7 +1017,7 @@ BasePrintLibSPrintMarker ( case '\r': Format += BytesPerFormatCharacter; - FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask; if (FormatCharacter == '\n') { // // Translate '\r\n' to '\r\n' @@ -1038,7 +1038,7 @@ BasePrintLibSPrintMarker ( // ArgumentString = "\r\n"; Format += BytesPerFormatCharacter; - FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask; if (FormatCharacter != '\r') { Format -= BytesPerFormatCharacter; } @@ -1057,7 +1057,7 @@ BasePrintLibSPrintMarker ( case '\r': Format += BytesPerFormatCharacter; - FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask; if (FormatCharacter == '\n') { // // Translate '\r\n' to '\r\n' @@ -1078,7 +1078,7 @@ BasePrintLibSPrintMarker ( // ArgumentString = "\r\n"; Format += BytesPerFormatCharacter; - FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask; if (FormatCharacter != '\r') { Format -= BytesPerFormatCharacter; } @@ -1206,7 +1206,7 @@ BasePrintLibSPrintMarker ( // // Get the next character from the format string // - FormatCharacter = ((*Format & 0xff) | (*(Format + 1) << 8)) & FormatMask; + FormatCharacter = ((*Format & 0xff) | ((BytesPerFormatCharacter == 1) ? 0 : (*(Format + 1) << 8))) & FormatMask; } if ((Flags & COUNT_ONLY_NO_PRINT) != 0) { -- 2.12.0.windows.1