From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.100; helo=mga07.intel.com; envelope-from=jian.j.wang@intel.com; receiver=edk2-devel@lists.01.org Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 1729F22333785 for ; Mon, 22 Jan 2018 18:09:18 -0800 (PST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Jan 2018 18:14:44 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,398,1511856000"; d="scan'208";a="197940930" Received: from jwang36-mobl2.ccr.corp.intel.com ([10.239.192.151]) by fmsmga006.fm.intel.com with ESMTP; 22 Jan 2018 18:14:43 -0800 From: Jian J Wang To: edk2-devel@lists.01.org Cc: Ruiyu Ni Date: Tue, 23 Jan 2018 10:14:41 +0800 Message-Id: <20180123021441.4784-1-jian.j.wang@intel.com> X-Mailer: git-send-email 2.15.1.windows.2 Subject: [PATCH] ShellPkg/UefiShellLevel3CommandsLib: fix string over-read X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jan 2018 02:09:19 -0000 In the for-loop condition of original code, the expression *CurrentCommand != CHAR_NULL is put before expression CurrentCommand < SortedCommandList + SortedCommandListSize/sizeof(CHAR16) When CurrentCommand walks to the end of string buffer, one more character over the end of string buffer will be read and then stop. To fix this issue, just move the last expression to the first one. Because of short-circuit evaludation of and-expression, the following one *CurrentCommand != CHAR_NULL will not be evaluated if the expression before it is evaludated as FALSE. Cc: Ruiyu Ni Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Jian J Wang --- ShellPkg/Library/UefiShellLevel3CommandsLib/Help.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ShellPkg/Library/UefiShellLevel3CommandsLib/Help.c b/ShellPkg/Library/UefiShellLevel3CommandsLib/Help.c index a71ade3a20..75e3d74200 100644 --- a/ShellPkg/Library/UefiShellLevel3CommandsLib/Help.c +++ b/ShellPkg/Library/UefiShellLevel3CommandsLib/Help.c @@ -397,7 +397,7 @@ ShellCommandRunHelp ( CopyListOfCommandNamesWithDynamic(&SortedCommandList, &SortedCommandListSize); for (CurrentCommand = SortedCommandList - ; CurrentCommand != NULL && *CurrentCommand != CHAR_NULL && CurrentCommand < SortedCommandList + SortedCommandListSize/sizeof(CHAR16) + ; CurrentCommand < SortedCommandList + SortedCommandListSize/sizeof(CHAR16) && CurrentCommand != NULL && *CurrentCommand != CHAR_NULL ; CurrentCommand += StrLen(CurrentCommand) + 1 ) { // -- 2.15.1.windows.2