From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 3EE0621A0483A for ; Tue, 11 Apr 2017 23:31:37 -0700 (PDT) Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Apr 2017 23:31:36 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.37,189,1488873600"; d="scan'208";a="247572283" Received: from fmsmsx108.amr.corp.intel.com ([10.18.124.206]) by fmsmga004.fm.intel.com with ESMTP; 11 Apr 2017 23:31:36 -0700 Received: from fmsmsx123.amr.corp.intel.com (10.18.125.38) by FMSMSX108.amr.corp.intel.com (10.18.124.206) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 11 Apr 2017 23:31:36 -0700 Received: from shsmsx152.ccr.corp.intel.com (10.239.6.52) by fmsmsx123.amr.corp.intel.com (10.18.125.38) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 11 Apr 2017 23:31:36 -0700 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.246]) by SHSMSX152.ccr.corp.intel.com ([169.254.6.217]) with mapi id 14.03.0319.002; Wed, 12 Apr 2017 14:31:34 +0800 From: "Gao, Liming" To: "Song, BinX" , "edk2-devel@lists.01.org" Thread-Topic: [PATCH] MdeModulePkg: Fix BrotliCustomDecompressLib potential issue Thread-Index: AdKva31sNs1yyyJ/QMSWt9Ja5xarGgD6ujsw Date: Wed, 12 Apr 2017 06:31:33 +0000 Message-ID: <4A89E2EF3DFEDB4C8BFDE51014F606A14D71D395@shsmsx102.ccr.corp.intel.com> References: <559D2DF22BC9A3468B4FA1AA547F0EF10255AC9B@shsmsx102.ccr.corp.intel.com> In-Reply-To: <559D2DF22BC9A3468B4FA1AA547F0EF10255AC9B@shsmsx102.ccr.corp.intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH] MdeModulePkg: Fix BrotliCustomDecompressLib potential issue X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Apr 2017 06:31:37 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Liming Gao >-----Original Message----- >From: Song, BinX >Sent: Friday, April 07, 2017 2:52 PM >To: edk2-devel@lists.01.org >Cc: Gao, Liming >Subject: [PATCH] MdeModulePkg: Fix BrotliCustomDecompressLib potential >issue > >- Fix BrotliCustomDecompressLib potential issue > >Cc: Liming Gao >Contributed-under: TianoCore Contribution Agreement 1.0 >Signed-off-by: Bell Song >--- > .../Library/BrotliCustomDecompressLib/BrotliDecompress.c | 1 + > MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c | 12 >++++++++---- > 2 files changed, 9 insertions(+), 4 deletions(-) > >diff --git >a/MdeModulePkg/Library/BrotliCustomDecompressLib/BrotliDecompress.c >b/MdeModulePkg/Library/BrotliCustomDecompressLib/BrotliDecompress.c >index 2c2648a..a303921 100644 >--- >a/MdeModulePkg/Library/BrotliCustomDecompressLib/BrotliDecompress.c >+++ >b/MdeModulePkg/Library/BrotliCustomDecompressLib/BrotliDecompress.c >@@ -126,6 +126,7 @@ BrotliDecompress ( > BrotliState * BroState; > VOID * Temp; > >+ TotalOut =3D 0; > AvailableOut =3D FILE_BUFFER_SIZE; > Result =3D BROTLI_RESULT_ERROR; > BroState =3D BrotliCreateState(BrAlloc, BrFree, BuffInfo); >diff --git >a/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c >b/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c >index 1ebab3c..c49fab9 100644 >--- a/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c >+++ b/MdeModulePkg/Library/BrotliCustomDecompressLib/dec/decode.c >@@ -802,6 +802,7 @@ static BROTLI_INLINE uint32_t ReadBlockLength(const >HuffmanCode* table, > uint32_t code; > uint32_t nbits; > code =3D ReadSymbol(table, br); >+ if (code >=3D BROTLI_NUM_BLOCK_LEN_SYMBOLS) code =3D >BROTLI_NUM_BLOCK_LEN_SYMBOLS - 1; > nbits =3D kBlockLengthPrefixCode[code].nbits; /* nbits =3D=3D 2..24 */ > return kBlockLengthPrefixCode[code].offset + BrotliReadBits(br, nbits); > } >@@ -872,13 +873,13 @@ static BROTLI_NOINLINE void >InverseMoveToFrontTransform( > for (i =3D 0; i < v_len; ++i) { > int index =3D v[i]; > uint8_t value =3D mtf[index]; >- upper_bound |=3D v[i]; >+ upper_bound |=3D (uint32_t)v[i]; > v[i] =3D value; > mtf[-1] =3D value; >- do { >+ while (index > 0) { > index--; > mtf[index + 1] =3D mtf[index]; >- } while (index >=3D 0); >+ } > } > /* Remember amount of elements to be reinitialized. */ > state->mtf_upper_bound =3D upper_bound; >@@ -1498,6 +1499,7 @@ static BROTLI_INLINE BROTLI_BOOL >ReadCommandInternal( > return BROTLI_FALSE; > } > } >+ if (cmd_code >=3D BROTLI_NUM_COMMAND_SYMBOLS) cmd_code =3D >BROTLI_NUM_COMMAND_SYMBOLS - 1; > v =3D kCmdLut[cmd_code]; > s->distance_code =3D v.distance_code; > s->distance_context =3D v.context; >@@ -2209,7 +2211,9 @@ BrotliDecoderResult >BrotliDecoderDecompressStream( > } > s->max_distance =3D s->max_backward_distance; > if (s->state =3D=3D BROTLI_STATE_COMMAND_POST_WRITE_1) { >- memcpy(s->ringbuffer, s->ringbuffer_end, (size_t)s->pos); >+ if (s->ringbuffer !=3D 0) { >+ memcpy(s->ringbuffer, s->ringbuffer_end, (size_t)s->pos); >+ } > if (s->meta_block_remaining_len =3D=3D 0) { > /* Next metablock, if any */ > s->state =3D BROTLI_STATE_METABLOCK_DONE; >-- >2.10.2.windows.1