From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by mx.groups.io with SMTP id smtpd.web11.27848.1678473912727554564 for ; Fri, 10 Mar 2023 10:45:12 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@linux.microsoft.com header.s=default header.b=hrumMHAo; spf=pass (domain: linux.microsoft.com, ip: 13.77.154.182, mailfrom: mikuback@linux.microsoft.com) Received: from localhost.localdomain (unknown [47.201.8.94]) by linux.microsoft.com (Postfix) with ESMTPSA id A0B4420C14D5; Fri, 10 Mar 2023 10:45:11 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com A0B4420C14D5 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1678473912; bh=uZmO0tMFS0whc+V6I+xVN1UBKh5modlPdwSXU1IOsMM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hrumMHAor6oAQsGe7oNfb0gyF0GafOJZMQApN7Poh+MSMhyroZJHsbV30MwCxldcr otknvp9MJO1/XXKvhw7eFexvHqmlzJgQd1pBxZwULT1htQjjSYzYb5tDK6vSlklyGp f6Kr837jus++jqRSWhZK0rknAgmyNNGno33OITo8= From: "Michael Kubacki" To: devel@edk2.groups.io Cc: Bob Feng , Liming Gao , Michael D Kinney , Sean Brogan , Yuwei Chen Subject: [PATCH v4 03/12] BaseTools/VfrCompile: Fix potential buffer overwrites Date: Fri, 10 Mar 2023 13:42:29 -0500 Message-Id: <20230310184238.2999-4-mikuback@linux.microsoft.com> X-Mailer: git-send-email 2.39.2.windows.1 In-Reply-To: <20230310184238.2999-1-mikuback@linux.microsoft.com> References: <20230310184238.2999-1-mikuback@linux.microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Michael Kubacki While more portable methods exist to handle these cases, this change does not attempt to do more than fix the immediate problem and follow the conventions already established in this code. `snprintf()` is introduced as the minimum improvement apart from making the buffers larger. Fixes the following CodeQL alerts: 1. Failure on line 2339 in BaseTools/Source/C/VfrCompile/Pccts/antlr/gen.c - Type: Potentially overrunning write - Severity: Critical - Problem: This 'call to sprintf' operation requires 17 bytes but the destination is only 16 bytes. 2. Failure on line 2341 in BaseTools/Source/C/VfrCompile/Pccts/antlr/gen.c - Type: Potentially overrunning write - Severity: Critical - Problem: This 'call to sprintf' operation requires 17 bytes but the destination is only 16 bytes. 3. Failure on line 1309 in BaseTools/Source/C/VfrCompile/Pccts/antlr/main.c - Type: Potentially overrunning write - Severity: Critical - Problem: This 'call to sprintf' operation requires 25 bytes but the destination is only 20 bytes. Cc: Bob Feng Cc: Liming Gao Cc: Michael D Kinney Cc: Sean Brogan Cc: Yuwei Chen Signed-off-by: Michael Kubacki Reviewed-by: Liming Gao Reviewed-by: Michael D Kinney --- BaseTools/Source/C/VfrCompile/Pccts/antlr/gen.c | 10 +++++----- BaseTools/Source/C/VfrCompile/Pccts/antlr/main.c | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/BaseTools/Source/C/VfrCompile/Pccts/antlr/gen.c b/BaseTools/= Source/C/VfrCompile/Pccts/antlr/gen.c index 8e41239f4751..33d9cac4c7de 100644 --- a/BaseTools/Source/C/VfrCompile/Pccts/antlr/gen.c +++ b/BaseTools/Source/C/VfrCompile/Pccts/antlr/gen.c @@ -2331,14 +2331,14 @@ TokNode *p; set_nameErrSet =3D bufErrSet; /* MR23 */ } else { /* wild card */ - static char buf[sizeof("zzerr")+10]; - static char bufErrSet[sizeof("zzerr")+10]; + static char buf[sizeof("zzerr")+11]; + static char bufErrSet[sizeof("zzerr")+11]; int n =3D DefErrSet( &b, 0, NULL ); int nErrSet =3D DefErrSetWithSuffix(0, &bErrSet, 1, NULL, "_set"); - if ( GenCC ) sprintf(buf, "err%d", n); - else sprintf(buf, "zzerr%d", n); + if ( GenCC ) snprintf(buf, 11, "err%d", n); + else snprintf(buf, 11, "zzerr%d", n); if ( GenCC ) sprintf(bufErrSet, "err%d", nErrSet); - else sprintf(bufErrSet, "zzerr%d", nErrSet); + else snprintf(bufErrSet, 11, "zzerr%d", nErrSet); set_name =3D buf; set_nameErrSet =3D bufErrSet; } diff --git a/BaseTools/Source/C/VfrCompile/Pccts/antlr/main.c b/BaseTools= /Source/C/VfrCompile/Pccts/antlr/main.c index 051ee4ec5d28..488b4b90461c 100644 --- a/BaseTools/Source/C/VfrCompile/Pccts/antlr/main.c +++ b/BaseTools/Source/C/VfrCompile/Pccts/antlr/main.c @@ -1295,7 +1295,7 @@ int token; #endif { int j; - static char imag_name[20]; + static char imag_name[25]; =20 /* look in all lexclasses for the token */ if ( TokenString(token) !=3D NULL ) return TokenString(token); @@ -1306,7 +1306,7 @@ int token; } =20 if (1) { - sprintf(imag_name,"UnknownToken#%d",token); /* MR13 */ + snprintf(imag_name, 25, "UnknownToken#%d", token); /* MR13 */ return imag_name; /* MR13 */ } =20 --=20 2.39.2.windows.1