From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.93, mailfrom: dandan.bi@intel.com) Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by groups.io with SMTP; Sun, 21 Apr 2019 18:56:13 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Apr 2019 18:56:13 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,380,1549958400"; d="scan'208";a="225499595" Received: from shwdeopenpsi114.ccr.corp.intel.com ([10.239.157.147]) by orsmga001.jf.intel.com with ESMTP; 21 Apr 2019 18:56:11 -0700 From: "Dandan Bi" To: devel@edk2.groups.io Cc: Hao Wu , Ray Ni , Liming Gao Subject: [patch] MdeModulePkg/HiiDatabaseDxe: Release lock on all error return path Date: Mon, 22 Apr 2019 09:56:07 +0800 Message-Id: <20190422015607.14620-1-dandan.bi@intel.com> X-Mailer: git-send-email 2.18.0.windows.1 REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1652 Commit ffe5f7a6b4e9 "MdeModulePkg/HiiDatabase: Fix potential integer overflow " added some new error paths, but it missed releasing the mHiiDatabaseLock lock on those paths. This patch releases mHiiDatabaseLock on those paths. Cc: Hao Wu Cc: Ray Ni Cc: Liming Gao Signed-off-by: Dandan Bi --- MdeModulePkg/Universal/HiiDatabaseDxe/Image.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c index bd623cae15..a108fc6157 100644 --- a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c +++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c @@ -1,10 +1,10 @@ /** @file Implementation for EFI_HII_IMAGE_PROTOCOL. -Copyright (c) 2007 - 2018, Intel Corporation. All rights reserved.
+Copyright (c) 2007 - 2019, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent **/ @@ -651,10 +651,11 @@ HiiNewImage ( // Make sure the size doesn't overflow UINT32. // Note: 24Bit BMP occpuies 3 bytes per pixel. // NewBlockSize = (UINT32)Image->Width * Image->Height; if (NewBlockSize > (MAX_UINT32 - (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL))) / 3) { + EfiReleaseLock (&mHiiDatabaseLock); return EFI_OUT_OF_RESOURCES; } NewBlockSize = NewBlockSize * 3 + (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL)); // @@ -678,10 +679,11 @@ HiiNewImage ( // // Make sure the final package length doesn't overflow. // Length of the package header is represented using 24 bits. So MAX length is MAX_UINT24. // if (NewBlockSize > MAX_UINT24 - ImagePackage->ImagePkgHdr.Header.Length) { + EfiReleaseLock (&mHiiDatabaseLock); return EFI_OUT_OF_RESOURCES; } // // Because ImagePackage->ImageBlockSize < ImagePackage->ImagePkgHdr.Header.Length, // So (ImagePackage->ImageBlockSize + NewBlockSize) <= MAX_UINT24 @@ -719,10 +721,11 @@ HiiNewImage ( // // Make sure the final package length doesn't overflow. // Length of the package header is represented using 24 bits. So MAX length is MAX_UINT24. // if (NewBlockSize > MAX_UINT24 - (sizeof (EFI_HII_IMAGE_PACKAGE_HDR) + sizeof (EFI_HII_IIBT_END_BLOCK))) { + EfiReleaseLock (&mHiiDatabaseLock); return EFI_OUT_OF_RESOURCES; } // // The specified package list does not contain image package. // Create one to add this image block. @@ -1159,16 +1162,18 @@ HiiSetImage ( // Length of the package header is represented using 24 bits. So MAX length is MAX_UINT24. // 24Bit BMP occpuies 3 bytes per pixel. // NewBlockSize = (UINT32)Image->Width * Image->Height; if (NewBlockSize > (MAX_UINT32 - (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL))) / 3) { + EfiReleaseLock (&mHiiDatabaseLock); return EFI_OUT_OF_RESOURCES; } NewBlockSize = NewBlockSize * 3 + (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof (EFI_HII_RGB_PIXEL)); if ((NewBlockSize > OldBlockSize) && (NewBlockSize - OldBlockSize > MAX_UINT24 - ImagePackage->ImagePkgHdr.Header.Length) ) { + EfiReleaseLock (&mHiiDatabaseLock); return EFI_OUT_OF_RESOURCES; } // // Adjust the image package to remove the original block firstly then add the new block. -- 2.18.0.windows.1