From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.151, mailfrom: zhichao.gao@intel.com)
Received: from mga17.intel.com (mga17.intel.com [192.55.52.151])
 by groups.io with SMTP; Mon, 24 Jun 2019 20:22:54 -0700
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga001.fm.intel.com ([10.253.24.23])
  by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 Jun 2019 20:22:53 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.63,413,1557212400"; 
   d="scan'208";a="182790002"
Received: from fieedk001.ccr.corp.intel.com ([10.239.33.119])
  by fmsmga001.fm.intel.com with ESMTP; 24 Jun 2019 20:22:52 -0700
From: "Gao, Zhichao" <zhichao.gao@intel.com>
To: devel@edk2.groups.io
Cc: Jian J Wang <jian.j.wang@intel.com>,
	Hao A Wu <hao.a.wu@intel.com>,
	Ray Ni <ray.ni@intel.com>,
	Star Zeng <star.zeng@intel.com>
Subject: [PATCH] MdeModulePkg/CapsulePei: Add memory pointer check
Date: Tue, 25 Jun 2019 11:22:49 +0800
Message-Id: <20190625032249.28116-1-zhichao.gao@intel.com>
X-Mailer: git-send-email 2.21.0.windows.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1935

Before use the memory that is allocated through AllocateZeroPool,
we should check the memory pointer is valid to avoid using the
NULL pointer.
Add check for VariableArrayAddress that is returned from
GetScatterGatherHeadEntries. If it is NULL, directly return
the error status.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 MdeModulePkg/Universal/CapsulePei/UefiCapsule.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/MdeModulePkg/Universal/CapsulePei/UefiCapsule.c b/MdeModulePkg/Universal/CapsulePei/UefiCapsule.c
index 8d4ae69bb2..51afab7b05 100644
--- a/MdeModulePkg/Universal/CapsulePei/UefiCapsule.c
+++ b/MdeModulePkg/Universal/CapsulePei/UefiCapsule.c
@@ -965,6 +965,10 @@ GetScatterGatherHeadEntries (
     //
     if ((ValidIndex + 1) >= TempListLength) {
       EnlargedTempList = AllocateZeroPool (TempListLength * 2);
+      if (EnlargedTempList == NULL) {
+        DEBUG ((DEBUG_ERROR, "Fail to allocate memory!\n"));
+        return EFI_OUT_OF_RESOURCES;
+      }
       CopyMem (EnlargedTempList, TempList, TempListLength);
       FreePool (TempList);
       TempList = EnlargedTempList;
@@ -1056,7 +1060,7 @@ CapsuleCoalesce (
   // Get SG list entries
   //
   Status = GetScatterGatherHeadEntries (&ListLength, &VariableArrayAddress);
-  if (EFI_ERROR (Status)) {
+  if (EFI_ERROR (Status) || VariableArrayAddress == NULL) {
     DEBUG ((DEBUG_ERROR, "%a failed to get Scatter Gather List Head Entries.  Status = %r\n", __FUNCTION__, Status));
     goto Done;
   }
-- 
2.21.0.windows.1