From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41])
 by mx.groups.io with SMTP id smtpd.web12.431.1666649516175830000
 for <devel@edk2.groups.io>;
 Mon, 24 Oct 2022 15:11:56 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20210112 header.b=d/VKUxZW;
 spf=pass (domain: gmail.com, ip: 209.85.221.41, mailfrom: pedro.falcato@gmail.com)
Received: by mail-wr1-f41.google.com with SMTP id bs21so2273628wrb.4
        for <devel@edk2.groups.io>; Mon, 24 Oct 2022 15:11:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=Ez+x8rlz9/4for1WhPYpMXhdWfQ42yetxoU0XGa1XOw=;
        b=d/VKUxZWeRZwtNz2F15yBxzMFiXqUIgdwi/dSWUP7GDS5jVzoMJocqJz5TmwGDTZP/
         i074w/OKn3/vEHtIIiNag6XrdFfj/WJK82mnegIo5318v96bhmuKVWxgWYbDoh21lmWk
         j6V2tLK+K1fo/SP3Tz7eiCdxloz5Wv3MJMdF4nfZqaSb6uFG/ghot0LQ4/RneF7pTxw0
         mYI2rYLsA66SA2pyJpR0lCR9jZ0qzNR9o2cykHxjFuzsvApPn2qaUjoDgK+cPhiorAUN
         prThfOPA4Wkey6Qk40MZN/BWpPDsvXOnQTzumwFDCidd4GmwIaNJkYKljcWVQV6r9uM2
         UJJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Ez+x8rlz9/4for1WhPYpMXhdWfQ42yetxoU0XGa1XOw=;
        b=gTFK8fv+zViPWbeS3rO6WE9Hz7TEdEIvs/DzywwXgCB8KoCYZqj2xJXYNkZ4ZojhEI
         1HyBA7cFUp08dACuKUu7wyxjAYZe1j6A5pPb0B6ewxMdQHzBHxIuoTuq30SwzECbdF6k
         Sx4LURX4/syGLvz3cFFJVQ5JlfKAsTulgtxEqTzljlEaGR9XJ7yCCx41OobU51TQ2X+W
         kwX+RaOmzocRIf+/kr1ag4VjePaInSfSD6zlOjGLqbznUfC1w7KljI6+yklJD6GtnPtx
         ZsMMdy+j27/I55+xWaaenwuSP8b3MbXwv4/fYl1Q2zwKtEhk6sv1mfv8/wQ3cADWWjCy
         2hGg==
X-Gm-Message-State: ACrzQf1ZLelQwWBOsAwWl1+3hRj+BiBb2fdnU21k2oIE9Oe984E8yj89
	d5UV+wpwiIycV60ZS3lHZFeCVUUj5s4=
X-Google-Smtp-Source: AMsMyM5gVYscZelU/8QlRW6dlxyAsWxDrVtrsbwl+dVe279JDJMbJ0HGKq6mKITazGkyphJdcVHQ9g==
X-Received: by 2002:a5d:5744:0:b0:236:5c21:177f with SMTP id q4-20020a5d5744000000b002365c21177fmr9918644wrw.449.1666649514161;
        Mon, 24 Oct 2022 15:11:54 -0700 (PDT)
Return-Path: <pedro.falcato@gmail.com>
Received: from PC-PEDRO-ARCH.lan ([2001:8a0:7280:5801:9441:3dce:686c:bfc7])
        by smtp.gmail.com with ESMTPSA id v13-20020adfe28d000000b002366a624bd4sm722891wri.28.2022.10.24.15.11.50
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 24 Oct 2022 15:11:52 -0700 (PDT)
From: "Pedro Falcato" <pedro.falcato@gmail.com>
To: devel@edk2.groups.io
Cc: Pedro Falcato <pedro.falcato@gmail.com>,
	Vitaly Cheptsov <vit9696@protonmail.com>,
	=?UTF-8?q?Marvin=20H=C3=A4user?= <mhaeuser@posteo.de>,
	Michael D Kinney <michael.d.kinney@intel.com>,
	Liming Gao <gaoliming@byosoft.com.cn>,
	Zhiguang Liu <zhiguang.liu@intel.com>
Subject: [PATCH 1/1] MdePkg/BaseLib: Fix out-of-bounds reads in SafeString
Date: Mon, 24 Oct 2022 23:11:44 +0100
Message-Id: <20221024221144.20702-1-pedro.falcato@gmail.com>
X-Mailer: git-send-email 2.38.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OpenCore folks established an ASAN-equipped project to fuzz Ext4Dxe,
which was able to catch these (mostly harmless) issues.

Signed-off-by: Pedro Falcato <pedro.falcato@gmail.com>
Cc: Vitaly Cheptsov <vit9696@protonmail.com>
Cc: Marvin Häuser <mhaeuser@posteo.de>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
---
 MdePkg/Library/BaseLib/SafeString.c | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/MdePkg/Library/BaseLib/SafeString.c b/MdePkg/Library/BaseLib/SafeString.c
index f338a32a3a41..9bf86d32e1d6 100644
--- a/MdePkg/Library/BaseLib/SafeString.c
+++ b/MdePkg/Library/BaseLib/SafeString.c
@@ -863,6 +863,9 @@ StrHexToUintnS (
   OUT       UINTN   *Data
   )
 {
+  CONST CHAR16  *StartString;
+
+  StartString = String;
   ASSERT (((UINTN)String & BIT0) == 0);
 
   //
@@ -897,7 +900,7 @@ StrHexToUintnS (
   }
 
   if (CharToUpper (*String) == L'X') {
-    if (*(String - 1) != L'0') {
+    if ((String != StartString) && (*(String - 1) != L'0')) {
       *Data = 0;
       return RETURN_SUCCESS;
     }
@@ -992,6 +995,9 @@ StrHexToUint64S (
   OUT       UINT64  *Data
   )
 {
+  CONST CHAR16  *StartString;
+
+  StartString = String;
   ASSERT (((UINTN)String & BIT0) == 0);
 
   //
@@ -1026,7 +1032,7 @@ StrHexToUint64S (
   }
 
   if (CharToUpper (*String) == L'X') {
-    if (*(String - 1) != L'0') {
+    if ((String != StartString) && (*(String - 1) != L'0')) {
       *Data = 0;
       return RETURN_SUCCESS;
     }
@@ -2393,6 +2399,9 @@ AsciiStrHexToUintnS (
   OUT       UINTN  *Data
   )
 {
+  CONST CHAR8  *StartString;
+
+  StartString = String;
   //
   // 1. Neither String nor Data shall be a null pointer.
   //
@@ -2425,7 +2434,7 @@ AsciiStrHexToUintnS (
   }
 
   if (AsciiCharToUpper (*String) == 'X') {
-    if (*(String - 1) != '0') {
+    if ((String != StartString) && (*(String - 1) != '0')) {
       *Data = 0;
       return RETURN_SUCCESS;
     }
@@ -2517,6 +2526,9 @@ AsciiStrHexToUint64S (
   OUT       UINT64  *Data
   )
 {
+  CONST CHAR8  *StartString;
+
+  StartString = String;
   //
   // 1. Neither String nor Data shall be a null pointer.
   //
@@ -2549,7 +2561,7 @@ AsciiStrHexToUint64S (
   }
 
   if (AsciiCharToUpper (*String) == 'X') {
-    if (*(String - 1) != '0') {
+    if ((String != StartString) && (*(String - 1) != '0')) {
       *Data = 0;
       return RETURN_SUCCESS;
     }
-- 
2.38.1