From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-002e3701.pphosted.com (mx0a-002e3701.pphosted.com [148.163.147.86]) by mx.groups.io with SMTP id smtpd.web10.5928.1623301053137748471 for ; Wed, 09 Jun 2021 21:57:33 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@hpe.com header.s=pps0720 header.b=fcCgLdpV; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: hpe.com, ip: 148.163.147.86, mailfrom: prvs=0795a86e96=nickle.wang@hpe.com) Received: from pps.filterd (m0150241.ppops.net [127.0.0.1]) by mx0a-002e3701.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 15A4ndGL017874; Thu, 10 Jun 2021 04:57:26 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hpe.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding; s=pps0720; bh=/0X+pVW6y3V6T9YWt1jKkQaiGiDoIOip/gJeQghH7a4=; b=fcCgLdpVTLHW2foX1dYLzjbR18ITMjFuVjeDdI2J0hS52AL1mt8luBeJx5hx5ugdGUUA pWU1aJy23tMa9Yja6WN6XaGuBtzcAR4e3/YiJPBoZr6dmyXrY954NcZLspJtLJA7lEOJ ocfazA5oHC3NrEarjjIHO72HE76bC5nMAkHBx8VqKiB2i5ZhZl+4SdcaeNRfrfz3jbTX 8RjRCQuiNKIaO3KXbLveGUCexPF5F6JDAZ/N8FhXFdPkww4N9g4t3Bmb84TFeyQtP64+ 7KkMmgBG35mHDqdu3Wrr4ghdLNyyJGW37S2EqoFANWXH3Ijpbhqz+TlHDWtWtQesd0Dw ww== Received: from g2t2354.austin.hpe.com (g2t2354.austin.hpe.com [15.233.44.27]) by mx0a-002e3701.pphosted.com with ESMTP id 3930bmde2u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 10 Jun 2021 04:57:25 +0000 Received: from g2t2360.austin.hpecorp.net (g2t2360.austin.hpecorp.net [16.196.225.135]) by g2t2354.austin.hpe.com (Postfix) with ESMTP id 366A481; Thu, 10 Jun 2021 04:57:25 +0000 (UTC) Received: from WVE00YQZQF.asiapacific.hpqcorp.net (unknown [16.169.14.254]) by g2t2360.austin.hpecorp.net (Postfix) with ESMTP id 98B0E3F; Thu, 10 Jun 2021 04:57:23 +0000 (UTC) From: "Nickle Wang" To: devel@edk2.groups.io Cc: gaoliming@byosoft.com.cn, jian.j.wang@intel.com, hao.a.wu@intel.com, Nickle Wang Subject: [PATCH] MdeModulePkg/RegularExpressionDxe: Fix memory assert in FreePool() Date: Thu, 10 Jun 2021 12:56:40 +0800 Message-Id: <20210610045641.1466-1-nickle.wang@hpe.com> X-Mailer: git-send-email 2.31.1.windows.1 MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: wbjq26YML2qJLNe-lubqYfi4JvYd3nrh X-Proofpoint-GUID: wbjq26YML2qJLNe-lubqYfi4JvYd3nrh X-HPE-SCL: -1 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-06-10_03:2021-06-10,2021-06-10 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 priorityscore=1501 lowpriorityscore=0 bulkscore=0 malwarescore=0 suspectscore=0 mlxlogscore=999 spamscore=0 clxscore=1011 mlxscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2106100030 Content-Transfer-Encoding: quoted-printable Memory buffer that is allocated by malloc() and realloc() will be shifted by 8 bytes because Oniguruma keeps its memory signature. This 8 bytes shift is not handled while calling free() to release memory. Add free() function to check Oniguruma signature before release memory because memory buffer is not touched when using calloc(). Signed-off-by: Nickle Wang --- .../RegularExpressionDxe/OnigurumaUefiPort.c | 19 ++++++++++++++++++- .../RegularExpressionDxe/OnigurumaUefiPort.h | 14 ++------------ 2 files changed, 20 insertions(+), 13 deletions(-) diff --git a/MdeModulePkg/Universal/RegularExpressionDxe/OnigurumaUefiPort.= c b/MdeModulePkg/Universal/RegularExpressionDxe/OnigurumaUefiPort.c index 9aa7b0a68e..5c34324db8 100644 --- a/MdeModulePkg/Universal/RegularExpressionDxe/OnigurumaUefiPort.c +++ b/MdeModulePkg/Universal/RegularExpressionDxe/OnigurumaUefiPort.c @@ -2,7 +2,7 @@ =0D Module to rewrite stdlib references within Oniguruma=0D =0D - (C) Copyright 2014-2015 Hewlett Packard Enterprise Development LP
=0D + (C) Copyright 2014-2021 Hewlett Packard Enterprise Development LP
=0D Copyright (c) 2020, Intel Corporation. All rights reserved.
=0D =0D SPDX-License-Identifier: BSD-2-Clause-Patent=0D @@ -96,3 +96,20 @@ void* memset (void *dest, char ch, unsigned int count) return SetMem (dest, count, ch);=0D }=0D =0D +void free(void *ptr)=0D +{=0D + VOID *EvalOnce;=0D + ONIGMEM_HEAD *PoolHdr;=0D +=0D + EvalOnce =3D ptr;=0D + if (EvalOnce =3D=3D NULL) {=0D + return;=0D + }=0D +=0D + PoolHdr =3D (ONIGMEM_HEAD *)EvalOnce - 1;=0D + if (PoolHdr->Signature =3D=3D ONIGMEM_HEAD_SIGNATURE) {=0D + FreePool (PoolHdr);=0D + } else {=0D + FreePool (EvalOnce);=0D + }=0D +}=0D diff --git a/MdeModulePkg/Universal/RegularExpressionDxe/OnigurumaUefiPort.= h b/MdeModulePkg/Universal/RegularExpressionDxe/OnigurumaUefiPort.h index 20b75c3361..0bdb7be529 100644 --- a/MdeModulePkg/Universal/RegularExpressionDxe/OnigurumaUefiPort.h +++ b/MdeModulePkg/Universal/RegularExpressionDxe/OnigurumaUefiPort.h @@ -2,7 +2,7 @@ =0D Module to rewrite stdlib references within Oniguruma=0D =0D - (C) Copyright 2014-2015 Hewlett Packard Enterprise Development LP
=0D + (C) Copyright 2014-2021 Hewlett Packard Enterprise Development LP
=0D Copyright (c) 2020, Intel Corporation. All rights reserved.
=0D =0D SPDX-License-Identifier: BSD-2-Clause-Patent=0D @@ -46,17 +46,6 @@ typedef INTN intptr_t; #endif=0D =0D #define calloc(n,s) AllocateZeroPool((n)*(s))=0D -=0D -#define free(p) \=0D - do { \=0D - VOID *EvalOnce; \=0D - \=0D - EvalOnce =3D (p); \=0D - if (EvalOnce !=3D NULL) { \=0D - FreePool (EvalOnce); \=0D - } \=0D - } while (FALSE)=0D -=0D #define xmemmove(Dest,Src,Length) CopyMem(Dest,Src,Length)=0D #define xmemcpy(Dest,Src,Length) CopyMem(Dest,Src,Length)=0D #define xmemset(Buffer,Value,Length) SetMem(Buffer,Length,Value)=0D @@ -98,6 +87,7 @@ void* malloc(size_t size); void* realloc(void *ptr, size_t size);=0D void* memcpy (void *dest, const void *src, unsigned int count);=0D void* memset (void *dest, char ch, unsigned int count);=0D +void free(void *ptr);=0D =0D #define exit(n) ASSERT(FALSE);=0D =0D --=20 2.31.1.windows.1