From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id EDDC82194EB60 for ; Thu, 13 Apr 2017 21:47:35 -0700 (PDT) Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Apr 2017 21:47:35 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.37,197,1488873600"; d="scan'208";a="73970174" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by orsmga002.jf.intel.com with ESMTP; 13 Apr 2017 21:47:35 -0700 Received: from fmsmsx117.amr.corp.intel.com (10.18.116.17) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.319.2; Thu, 13 Apr 2017 21:47:34 -0700 Received: from shsmsx104.ccr.corp.intel.com (10.239.4.70) by fmsmsx117.amr.corp.intel.com (10.18.116.17) with Microsoft SMTP Server (TLS) id 14.3.319.2; Thu, 13 Apr 2017 21:47:34 -0700 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.246]) by SHSMSX104.ccr.corp.intel.com ([10.239.4.70]) with mapi id 14.03.0319.002; Fri, 14 Apr 2017 12:47:33 +0800 From: "Gao, Liming" To: "Wu, Hao A" , "edk2-devel@lists.01.org" Thread-Topic: [PATCH 2/2] IntelFrameworkPkg/UefiLib: Avoid mis-calculate of graphic console size Thread-Index: AQHSsmnJxyOItV8QxU2o+j9DMFX5vaHET53w Date: Fri, 14 Apr 2017 04:47:32 +0000 Message-ID: <4A89E2EF3DFEDB4C8BFDE51014F606A14D71E4E5@shsmsx102.ccr.corp.intel.com> References: <20170411021724.16688-1-hao.a.wu@intel.com> <20170411021724.16688-3-hao.a.wu@intel.com> In-Reply-To: <20170411021724.16688-3-hao.a.wu@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH 2/2] IntelFrameworkPkg/UefiLib: Avoid mis-calculate of graphic console size X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Apr 2017 04:47:36 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Liming Gao >-----Original Message----- >From: Wu, Hao A >Sent: Tuesday, April 11, 2017 10:17 AM >To: edk2-devel@lists.01.org >Cc: Wu, Hao A ; Gao, Liming >Subject: [PATCH 2/2] IntelFrameworkPkg/UefiLib: Avoid mis-calculate of >graphic console size > >The commit adds check in function InternalPrintGraphic() to ensure that >the expression: > >Blt->Width * Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) > >will not overflow in the UINTN range. > >The commit also adds an explicit UINT32 type cast for 'Blt->Width' to >avoid possible overflow in the int range for: > >Blt->Width * Blt->Height > >Since both Blt->Width and Blt->Height are of type UINT16. They will be >promoted to int (signed) first, and then perform the multiplication >operation. If the result of multiplication between Blt->Width and >Blt->Height exceeds the range of type int, a potential incorrect size will >be passed into funciton AllocateZeroPool(). > >Cc: Liming Gao >Contributed-under: TianoCore Contribution Agreement 1.0 >Signed-off-by: Hao Wu >--- > IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c | 11 >+++++++++-- > 1 file changed, 9 insertions(+), 2 deletions(-) > >diff --git a/IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c >b/IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c >index f0dcf9fb25..6f06efbe05 100644 >--- a/IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c >+++ b/IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c >@@ -2,7 +2,7 @@ > Mde UEFI library API implementation. > Print to StdErr or ConOut defined in EFI_SYSTEM_TABLE > >- Copyright (c) 2007 - 2015, Intel Corporation. All rights reserved.
>+ Copyright (c) 2007 - 2017, Intel Corporation. All rights reserved.
> This program and the accompanying materials > are licensed and made available under the terms and conditions of the B= SD >License > which accompanies this distribution. The full text of the license may = be >found at >@@ -474,7 +474,14 @@ InternalPrintGraphic ( > } else if (FeaturePcdGet (PcdUgaConsumeSupport)) { > ASSERT (UgaDraw!=3D NULL); > >- Blt->Image.Bitmap =3D AllocateZeroPool (Blt->Width * Blt->Height * si= zeof >(EFI_GRAPHICS_OUTPUT_BLT_PIXEL)); >+ // >+ // Ensure Width * Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) >doesn't overflow. >+ // >+ if (Blt->Width > DivU64x32 (MAX_UINTN, Blt->Height * sizeof >(EFI_GRAPHICS_OUTPUT_BLT_PIXEL))) { >+ goto Error; >+ } >+ >+ Blt->Image.Bitmap =3D AllocateZeroPool ((UINT32) Blt->Width * Blt->He= ight >* sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)); > ASSERT (Blt->Image.Bitmap !=3D NULL); > > // >-- >2.12.0.windows.1