From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.20; helo=mga02.intel.com; envelope-from=dandan.bi@intel.com; receiver=edk2-devel@lists.01.org Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id E703E210F41D0 for ; Mon, 27 Aug 2018 19:06:04 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Aug 2018 19:06:04 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.53,297,1531810800"; d="scan'208";a="85015499" Received: from shwdeopenpsi114.ccr.corp.intel.com ([10.239.157.135]) by fmsmga001.fm.intel.com with ESMTP; 27 Aug 2018 19:05:55 -0700 From: Dandan Bi To: edk2-devel@lists.01.org Cc: Eric Dong Date: Tue, 28 Aug 2018 10:05:48 +0800 Message-Id: <20180828020548.28096-1-dandan.bi@intel.com> X-Mailer: git-send-email 2.14.3.windows.1 Subject: [patch] MdeModulePkg/Setup: Fix incorrect size used in AllocateCopyPool X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Aug 2018 02:06:05 -0000 REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1115 When the type of HiiValue is EFI_IFR_TYPE_BUFFER, its question type is EFI_IFR_ORDERED_LIST_OP. And the buffer size allocated for Statement->BufferValue of orderedList is "Statement->StorageWidth" in IfrParse.c. So here when backup the buffer value and copy the size of "Statement->StorageWidth + sizeof(CHAR16)" is incorrect. This patch is to fix this issue. Cc: Eric Dong Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Dandan Bi --- MdeModulePkg/Universal/SetupBrowserDxe/Presentation.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/MdeModulePkg/Universal/SetupBrowserDxe/Presentation.c b/MdeModulePkg/Universal/SetupBrowserDxe/Presentation.c index ded1c7ad11..58daaab404 100644 --- a/MdeModulePkg/Universal/SetupBrowserDxe/Presentation.c +++ b/MdeModulePkg/Universal/SetupBrowserDxe/Presentation.c @@ -2002,11 +2002,11 @@ ProcessCallBackFunction ( // // If EFI_BROWSER_ACTION_CHANGING type, back up the new question value. // if (Action == EFI_BROWSER_ACTION_CHANGING) { if (HiiValue->Type == EFI_IFR_TYPE_BUFFER) { - BackUpBuffer = AllocateCopyPool(Statement->StorageWidth + sizeof(CHAR16), Statement->BufferValue); + BackUpBuffer = AllocateCopyPool(Statement->StorageWidth, Statement->BufferValue); ASSERT (BackUpBuffer != NULL); } else { CopyMem (&BackUpValue, &HiiValue->Value, sizeof (EFI_IFR_TYPE_VALUE)); } } @@ -2128,11 +2128,11 @@ ProcessCallBackFunction ( // then the browser will use the value passed to Callback() and ignore the // value returned by Callback(). // if (Action == EFI_BROWSER_ACTION_CHANGING && Status == EFI_UNSUPPORTED) { if (HiiValue->Type == EFI_IFR_TYPE_BUFFER) { - CopyMem (Statement->BufferValue, BackUpBuffer, Statement->StorageWidth + sizeof(CHAR16)); + CopyMem (Statement->BufferValue, BackUpBuffer, Statement->StorageWidth); } else { CopyMem (&HiiValue->Value, &BackUpValue, sizeof (EFI_IFR_TYPE_VALUE)); } // -- 2.14.3.windows.1