From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: lersek@redhat.com)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 by groups.io with SMTP; Fri, 12 Apr 2019 16:31:41 -0700
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 7748C308626C;
	Fri, 12 Apr 2019 23:31:41 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-65.rdu2.redhat.com [10.10.120.65])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 67D756090C;
	Fri, 12 Apr 2019 23:31:40 +0000 (UTC)
From: "Laszlo Ersek" <lersek@redhat.com>
To: edk2-devel-groups-io <devel@edk2.groups.io>
Cc: Liming Gao <liming.gao@intel.com>,
	Michael D Kinney <michael.d.kinney@intel.com>
Subject: [PATCH 04/10] MdePkg/PiFirmwareFile: fix undefined behavior in FFS_FILE_SIZE
Date: Sat, 13 Apr 2019 01:31:22 +0200
Message-Id: <20190412233128.4756-5-lersek@redhat.com>
In-Reply-To: <20190412233128.4756-1-lersek@redhat.com>
References: <20190412233128.4756-1-lersek@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.49]); Fri, 12 Apr 2019 23:31:41 +0000 (UTC)
Content-Transfer-Encoding: quoted-printable

Accessing "EFI_FFS_FILE_HEADER.Size", which is of type UINT8[3], through =
a
(UINT32*), is undefined behavior. Fix it by accessing the array elements
individually.

(We can't use a union here, unfortunately, as easily as with
"EFI_COMMON_SECTION_HEADER", given the fields in "EFI_FFS_FILE_HEADER".)

Cc: Liming Gao <liming.gao@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1710
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
 MdePkg/Include/Pi/PiFirmwareFile.h | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/MdePkg/Include/Pi/PiFirmwareFile.h b/MdePkg/Include/Pi/PiFir=
mwareFile.h
index 4fce8298d1c0..0668f3fa9af4 100644
--- a/MdePkg/Include/Pi/PiFirmwareFile.h
+++ b/MdePkg/Include/Pi/PiFirmwareFile.h
@@ -174,18 +174,26 @@ typedef struct {
   /// If FFS_ATTRIB_LARGE_FILE is not set then EFI_FFS_FILE_HEADER is us=
ed.
   ///
   UINT64                    ExtendedSize;
 } EFI_FFS_FILE_HEADER2;
=20
 #define IS_FFS_FILE2(FfsFileHeaderPtr) \
     (((((EFI_FFS_FILE_HEADER *) (UINTN) FfsFileHeaderPtr)->Attributes) &=
 FFS_ATTRIB_LARGE_FILE) =3D=3D FFS_ATTRIB_LARGE_FILE)
=20
+#define FFS_FILE_SIZE_ARRAY(FfsFileHeaderPtr) \
+    (((EFI_FFS_FILE_HEADER *) (UINTN) (FfsFileHeaderPtr))->Size)
+
+#define FFS_FILE_SIZE_ELEMENT(FfsFileHeaderPtr, Index) \
+    ((UINT32) FFS_FILE_SIZE_ARRAY (FfsFileHeaderPtr)[(Index)])
+
 #define FFS_FILE_SIZE(FfsFileHeaderPtr) \
-    ((UINT32) (*((UINT32 *) ((EFI_FFS_FILE_HEADER *) (UINTN) FfsFileHead=
erPtr)->Size) & 0x00ffffff))
+    ((FFS_FILE_SIZE_ELEMENT ((FfsFileHeaderPtr), 0) <<  0) | \
+     (FFS_FILE_SIZE_ELEMENT ((FfsFileHeaderPtr), 1) <<  8) | \
+     (FFS_FILE_SIZE_ELEMENT ((FfsFileHeaderPtr), 2) << 16))
=20
 #define FFS_FILE2_SIZE(FfsFileHeaderPtr) \
     ((UINT32) (((EFI_FFS_FILE_HEADER2 *) (UINTN) FfsFileHeaderPtr)->Exte=
ndedSize))
=20
 typedef UINT8 EFI_SECTION_TYPE;
=20
 ///
 /// Pseudo type. It is used as a wild card when retrieving sections.
--=20
2.19.1.3.g30247aa5d201