From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.43; helo=mga05.intel.com; envelope-from=hao.a.wu@intel.com; receiver=edk2-devel@lists.01.org Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 3821B21EC8D06 for ; Wed, 27 Sep 2017 21:29:04 -0700 (PDT) Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga105.fm.intel.com with ESMTP; 27 Sep 2017 21:32:19 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.42,448,1500966000"; d="scan'208";a="1224629809" Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.13]) by fmsmga002.fm.intel.com with ESMTP; 27 Sep 2017 21:32:17 -0700 From: Hao Wu To: edk2-devel@lists.01.org Cc: Hao Wu , Steven Shi , Michael Kinney Date: Thu, 28 Sep 2017 12:32:09 +0800 Message-Id: <20170928043213.20776-2-hao.a.wu@intel.com> X-Mailer: git-send-email 2.12.0.windows.1 In-Reply-To: <20170928043213.20776-1-hao.a.wu@intel.com> References: <20170928043213.20776-1-hao.a.wu@intel.com> Subject: [PATCH v3 1/5] MdePkg/PrintLib: Fix possible negative value left shift X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Sep 2017 04:29:05 -0000 REF: https://bugzilla.tianocore.org/show_bug.cgi?id=702 Within function InternalPrintLibSPrintMarker(), possible left shift of a negative value is found in: "(*(ArgumentString + 1) << 8)" which involves undefined behavior. Since '*(ArgumentString + 1)' is of type CONST CHAR8 (signed), it will be promoted to type int (signed) during the left shift operation. If '*(ArgumentString + 1)' is a negative value, the behavior will be undefined. According to the C11 spec, Section 6.5.7: > 4 The result of E1 << E2 is E1 left-shifted E2 bit positions; vacated > bits are filled with zeros. If E1 has an unsigned type, the value > of the result is E1 * 2^E2 , reduced modulo one more than the > maximum value representable in the result type. If E1 has a signed > type and nonnegative value, and E1 * 2^E2 is representable in the > result type, then that is the resulting value; otherwise, the > behavior is undefined. This commit explicitly cast '*(ArgumentString + 1)' with UINT8 to resolve this issue. Cc: Steven Shi Cc: Michael Kinney Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu Reviewed-by: Liming Gao --- MdePkg/Library/BasePrintLib/PrintLibInternal.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MdePkg/Library/BasePrintLib/PrintLibInternal.c b/MdePkg/Library/BasePrintLib/PrintLibInternal.c index cec5b3bc99..28d946472f 100644 --- a/MdePkg/Library/BasePrintLib/PrintLibInternal.c +++ b/MdePkg/Library/BasePrintLib/PrintLibInternal.c @@ -1165,7 +1165,7 @@ BasePrintLibSPrintMarker ( // Copy the string into the output buffer performing the required type conversions // while (Index < Count) { - ArgumentCharacter = ((*ArgumentString & 0xff) | (*(ArgumentString + 1) << 8)) & ArgumentMask; + ArgumentCharacter = ((*ArgumentString & 0xff) | (((UINT8)*(ArgumentString + 1)) << 8)) & ArgumentMask; LengthToReturn += (1 * BytesPerOutputCharacter); if ((Flags & COUNT_ONLY_NO_PRINT) == 0 && Buffer != NULL) { -- 2.12.0.windows.1