[PATCH 1/1] MdePkg/BaseLib: Fix out-of-bounds reads in SafeString

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

* [PATCH 1/1] MdePkg/BaseLib: Fix out-of-bounds reads in SafeString
@ 2022-10-24 22:11 Pedro Falcato
  0 siblings, 0 replies; only message in thread
From: Pedro Falcato @ 2022-10-24 22:11 UTC (permalink / raw)
  To: devel
  Cc: Pedro Falcato, Vitaly Cheptsov, Marvin Häuser,
	Michael D Kinney, Liming Gao, Zhiguang Liu

OpenCore folks established an ASAN-equipped project to fuzz Ext4Dxe,
which was able to catch these (mostly harmless) issues.

Signed-off-by: Pedro Falcato <pedro.falcato@gmail.com>
Cc: Vitaly Cheptsov <vit9696@protonmail.com>
Cc: Marvin Häuser <mhaeuser@posteo.de>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
---
 MdePkg/Library/BaseLib/SafeString.c | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/MdePkg/Library/BaseLib/SafeString.c b/MdePkg/Library/BaseLib/SafeString.c
index f338a32a3a41..9bf86d32e1d6 100644
--- a/MdePkg/Library/BaseLib/SafeString.c
+++ b/MdePkg/Library/BaseLib/SafeString.c
@@ -863,6 +863,9 @@ StrHexToUintnS (
   OUT       UINTN   *Data
   )
 {
+  CONST CHAR16  *StartString;
+
+  StartString = String;
   ASSERT (((UINTN)String & BIT0) == 0);
 
   //
@@ -897,7 +900,7 @@ StrHexToUintnS (
   }
 
   if (CharToUpper (*String) == L'X') {
-    if (*(String - 1) != L'0') {
+    if ((String != StartString) && (*(String - 1) != L'0')) {
       *Data = 0;
       return RETURN_SUCCESS;
     }
@@ -992,6 +995,9 @@ StrHexToUint64S (
   OUT       UINT64  *Data
   )
 {
+  CONST CHAR16  *StartString;
+
+  StartString = String;
   ASSERT (((UINTN)String & BIT0) == 0);
 
   //
@@ -1026,7 +1032,7 @@ StrHexToUint64S (
   }
 
   if (CharToUpper (*String) == L'X') {
-    if (*(String - 1) != L'0') {
+    if ((String != StartString) && (*(String - 1) != L'0')) {
       *Data = 0;
       return RETURN_SUCCESS;
     }
@@ -2393,6 +2399,9 @@ AsciiStrHexToUintnS (
   OUT       UINTN  *Data
   )
 {
+  CONST CHAR8  *StartString;
+
+  StartString = String;
   //
   // 1. Neither String nor Data shall be a null pointer.
   //
@@ -2425,7 +2434,7 @@ AsciiStrHexToUintnS (
   }
 
   if (AsciiCharToUpper (*String) == 'X') {
-    if (*(String - 1) != '0') {
+    if ((String != StartString) && (*(String - 1) != '0')) {
       *Data = 0;
       return RETURN_SUCCESS;
     }
@@ -2517,6 +2526,9 @@ AsciiStrHexToUint64S (
   OUT       UINT64  *Data
   )
 {
+  CONST CHAR8  *StartString;
+
+  StartString = String;
   //
   // 1. Neither String nor Data shall be a null pointer.
   //
@@ -2549,7 +2561,7 @@ AsciiStrHexToUint64S (
   }
 
   if (AsciiCharToUpper (*String) == 'X') {
-    if (*(String - 1) != '0') {
+    if ((String != StartString) && (*(String - 1) != '0')) {
       *Data = 0;
       return RETURN_SUCCESS;
     }
-- 
2.38.1


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2022-10-24 22:11 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-10-24 22:11 [PATCH 1/1] MdePkg/BaseLib: Fix out-of-bounds reads in SafeString Pedro Falcato

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox