From: "Dandan Bi" <dandan.bi@intel.com>
To: devel@edk2.groups.io
Cc: Hao Wu <hao.a.wu@intel.com>, Ray Ni <ray.ni@intel.com>,
Liming Gao <liming.gao@intel.com>
Subject: [patch] MdeModulePkg/HiiDatabaseDxe: Release lock on all error return path
Date: Mon, 22 Apr 2019 09:56:07 +0800 [thread overview]
Message-ID: <20190422015607.14620-1-dandan.bi@intel.com> (raw)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1652
Commit ffe5f7a6b4e9
"MdeModulePkg/HiiDatabase: Fix potential integer overflow "
added some new error paths, but it missed releasing the
mHiiDatabaseLock lock on those paths.
This patch releases mHiiDatabaseLock on those paths.
Cc: Hao Wu <hao.a.wu@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
---
MdeModulePkg/Universal/HiiDatabaseDxe/Image.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
index bd623cae15..a108fc6157 100644
--- a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
@@ -1,10 +1,10 @@
/** @file
Implementation for EFI_HII_IMAGE_PROTOCOL.
-Copyright (c) 2007 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2007 - 2019, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -651,10 +651,11 @@ HiiNewImage (
// Make sure the size doesn't overflow UINT32.
// Note: 24Bit BMP occpuies 3 bytes per pixel.
//
NewBlockSize = (UINT32)Image->Width * Image->Height;
if (NewBlockSize > (MAX_UINT32 - (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL))) / 3) {
+ EfiReleaseLock (&mHiiDatabaseLock);
return EFI_OUT_OF_RESOURCES;
}
NewBlockSize = NewBlockSize * 3 + (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL));
//
@@ -678,10 +679,11 @@ HiiNewImage (
//
// Make sure the final package length doesn't overflow.
// Length of the package header is represented using 24 bits. So MAX length is MAX_UINT24.
//
if (NewBlockSize > MAX_UINT24 - ImagePackage->ImagePkgHdr.Header.Length) {
+ EfiReleaseLock (&mHiiDatabaseLock);
return EFI_OUT_OF_RESOURCES;
}
//
// Because ImagePackage->ImageBlockSize < ImagePackage->ImagePkgHdr.Header.Length,
// So (ImagePackage->ImageBlockSize + NewBlockSize) <= MAX_UINT24
@@ -719,10 +721,11 @@ HiiNewImage (
//
// Make sure the final package length doesn't overflow.
// Length of the package header is represented using 24 bits. So MAX length is MAX_UINT24.
//
if (NewBlockSize > MAX_UINT24 - (sizeof (EFI_HII_IMAGE_PACKAGE_HDR) + sizeof (EFI_HII_IIBT_END_BLOCK))) {
+ EfiReleaseLock (&mHiiDatabaseLock);
return EFI_OUT_OF_RESOURCES;
}
//
// The specified package list does not contain image package.
// Create one to add this image block.
@@ -1159,16 +1162,18 @@ HiiSetImage (
// Length of the package header is represented using 24 bits. So MAX length is MAX_UINT24.
// 24Bit BMP occpuies 3 bytes per pixel.
//
NewBlockSize = (UINT32)Image->Width * Image->Height;
if (NewBlockSize > (MAX_UINT32 - (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL))) / 3) {
+ EfiReleaseLock (&mHiiDatabaseLock);
return EFI_OUT_OF_RESOURCES;
}
NewBlockSize = NewBlockSize * 3 + (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL));
if ((NewBlockSize > OldBlockSize) &&
(NewBlockSize - OldBlockSize > MAX_UINT24 - ImagePackage->ImagePkgHdr.Header.Length)
) {
+ EfiReleaseLock (&mHiiDatabaseLock);
return EFI_OUT_OF_RESOURCES;
}
//
// Adjust the image package to remove the original block firstly then add the new block.
--
2.18.0.windows.1
next reply other threads:[~2019-04-22 1:56 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-22 1:56 Dandan Bi [this message]
2019-04-22 7:30 ` [patch] MdeModulePkg/HiiDatabaseDxe: Release lock on all error return path Wu, Hao A
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190422015607.14620-1-dandan.bi@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox