From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <hao.a.wu@intel.com>
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 5D39721E945EF
 for <edk2-devel@lists.01.org>; Tue, 19 Sep 2017 04:35:37 -0700 (PDT)
Received: from orsmga001.jf.intel.com ([10.7.209.18])
 by fmsmga105.fm.intel.com with ESMTP; 19 Sep 2017 04:38:41 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.42,418,1500966000"; d="scan'208";a="1173700392"
Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.13])
 by orsmga001.jf.intel.com with ESMTP; 19 Sep 2017 04:38:40 -0700
From: Hao Wu <hao.a.wu@intel.com>
To: edk2-devel@lists.01.org
Cc: Hao Wu <hao.a.wu@intel.com>, Ruiyu Ni <ruiyu.ni@intel.com>,
 Steven Shi <steven.shi@intel.com>,
 Michael Kinney <michael.d.kinney@intel.com>,
 Liming Gao <liming.gao@intel.com>
Date: Tue, 19 Sep 2017 19:38:33 +0800
Message-Id: <20170919113833.14048-3-hao.a.wu@intel.com>
X-Mailer: git-send-email 2.12.0.windows.1
In-Reply-To: <20170919113833.14048-1-hao.a.wu@intel.com>
References: <20170919113833.14048-1-hao.a.wu@intel.com>
Subject: [PATCH 2/2] MdePkg/BaseLib: Avoid reading content beyond string boundary
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Sep 2017 11:35:37 -0000

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=705

As mentioned in the above Bugzilla link by Steven, within the function
PathCleanUpDirectories(), when executing command:
"cd ."

under Shell, the input parameter 'Path' string will have string length
less than 2. Hence, it is possible for the below statement:
"if (StrCmp (Path + StrLen (Path) - 2, L"\\.") == 0) {"

to read contents before the string boundary.

This commit adds additional checks to avoid this.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Steven Shi <steven.shi@intel.com>
Cc: Michael Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
---
 MdePkg/Library/BaseLib/FilePaths.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/MdePkg/Library/BaseLib/FilePaths.c b/MdePkg/Library/BaseLib/FilePaths.c
index 203045ccdc..d6f3758ecb 100644
--- a/MdePkg/Library/BaseLib/FilePaths.c
+++ b/MdePkg/Library/BaseLib/FilePaths.c
@@ -1,7 +1,7 @@
 /** @file
   Defines file-path manipulation functions.
 
-  Copyright (c) 2011 - 2016, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR>
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
   which accompanies this distribution.  The full text of the license may be found at
@@ -91,7 +91,7 @@ PathCleanUpDirectories(
   while ((TempString = StrStr (Path, L"\\.\\")) != NULL) {
     CopyMem (TempString, TempString + 2, StrSize (TempString + 2));
   }
-  if (StrCmp (Path + StrLen (Path) - 2, L"\\.") == 0) {
+  if ((StrLen (Path) >= 2) && (StrCmp (Path + StrLen (Path) - 2, L"\\.") == 0)) {
     Path[StrLen (Path) - 1] = CHAR_NULL;
   }
 
-- 
2.12.0.windows.1