From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jian.j.wang@intel.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=192.55.52.115; helo=mga14.intel.com;
 envelope-from=jian.j.wang@intel.com; receiver=edk2-devel@lists.01.org 
Received: from mga14.intel.com (mga14.intel.com [192.55.52.115])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id CFB4F22333776
 for <edk2-devel@lists.01.org>; Tue, 23 Jan 2018 20:44:52 -0800 (PST)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga003.jf.intel.com ([10.7.209.27])
 by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 23 Jan 2018 20:50:20 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.46,405,1511856000"; d="scan'208";a="21865766"
Received: from jwang36-mobl2.ccr.corp.intel.com ([10.239.192.239])
 by orsmga003.jf.intel.com with ESMTP; 23 Jan 2018 20:50:18 -0800
From: Jian J Wang <jian.j.wang@intel.com>
To: edk2-devel@lists.01.org
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Date: Wed, 24 Jan 2018 12:50:16 +0800
Message-Id: <20180124045016.18672-1-jian.j.wang@intel.com>
X-Mailer: git-send-email 2.15.1.windows.2
Subject: [PATCH] ShellPkg/UefiShellLevel3CommandsLib: fix string over-read
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jan 2018 04:44:53 -0000

> v2:
>    Keep condition "CurrentCommand != NULL" as the first one.

In the for-loop condition of original code, the expression

  *CurrentCommand != CHAR_NULL 

is put before expression

  CurrentCommand < SortedCommandList + SortedCommandListSize/sizeof(CHAR16)

When CurrentCommand walks to the end of string buffer, one more character
over the end of string buffer will be read and then stop.

To fix this issue, just move the last expression to the first one. Because
of short-circuit evaludation of and-expression, the following one

  *CurrentCommand != CHAR_NULL

will not be evaluated if the expression before it is evaludated as FALSE.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
---
 ShellPkg/Library/UefiShellLevel3CommandsLib/Help.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ShellPkg/Library/UefiShellLevel3CommandsLib/Help.c b/ShellPkg/Library/UefiShellLevel3CommandsLib/Help.c
index a71ade3a20..f6159c1335 100644
--- a/ShellPkg/Library/UefiShellLevel3CommandsLib/Help.c
+++ b/ShellPkg/Library/UefiShellLevel3CommandsLib/Help.c
@@ -397,7 +397,7 @@ ShellCommandRunHelp (
         CopyListOfCommandNamesWithDynamic(&SortedCommandList, &SortedCommandListSize);
 
         for (CurrentCommand = SortedCommandList 
-          ; CurrentCommand != NULL && *CurrentCommand != CHAR_NULL && CurrentCommand < SortedCommandList + SortedCommandListSize/sizeof(CHAR16)
+          ; CurrentCommand != NULL && CurrentCommand < SortedCommandList + SortedCommandListSize/sizeof(CHAR16) && *CurrentCommand != CHAR_NULL
           ; CurrentCommand += StrLen(CurrentCommand) + 1
           ) {
           //
-- 
2.15.1.windows.2