From: "Wu, Hao A" <hao.a.wu@intel.com>
To: "Bi, Dandan" <dandan.bi@intel.com>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Dong, Eric" <eric.dong@intel.com>, "Gao, Liming" <liming.gao@intel.com>
Subject: Re: [patch] MdeModulePkg/HiiDB: Avoid incorrect results of multiplication
Date: Thu, 13 Apr 2017 01:47:47 +0000 [thread overview]
Message-ID: <B80AF82E9BFB8E4FBD8C89DA810C6A0931C987C5@SHSMSX104.ccr.corp.intel.com> (raw)
In-Reply-To: <1491980931-115060-1-git-send-email-dandan.bi@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
Best Regards,
Hao Wu
> -----Original Message-----
> From: Bi, Dandan
> Sent: Wednesday, April 12, 2017 3:09 PM
> To: edk2-devel@lists.01.org
> Cc: Dong, Eric; Gao, Liming; Wu, Hao A
> Subject: [patch] MdeModulePkg/HiiDB: Avoid incorrect results of multiplication
>
> An example:
> The codes in function Output8bitPixel in Image.c:
> OffsetY = BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos);
>
> Both Image->Width and Ypos are of type UINT16. They will be promoted to
> int (signed) first, and then perform the multiplication defined by macro
> BITMAP_LEN_8_BIT. If the result of multiplication between Image->Width and
> Ypos exceeds the range of type int, a potential incorrect results
> will be assigned to OffsetY.
>
> This commit adds explicit UINT32 type cast for 'Image->Width' to avoid
> possible overflow in the int range. And also fix similar issues in
> HiiDatabase.
>
> Cc: Eric Dong <eric.dong@intel.com>
> Cc: Liming Gao <liming.gao@intel.com>
> Cc: Hao Wu <hao.a.wu@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Dandan Bi <dandan.bi@intel.com>
> ---
> MdeModulePkg/Universal/HiiDatabaseDxe/Image.c | 24 ++++++++++++---------
> ---
> 1 file changed, 12 insertions(+), 12 deletions(-)
>
> diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
> b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
> index e2fa16e..431a5b8 100644
> --- a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
> +++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
> @@ -103,21 +103,21 @@ GetImageIdOrAddress (
>
> case EFI_HII_IIBT_IMAGE_8BIT:
> case EFI_HII_IIBT_IMAGE_8BIT_TRANS:
> Length = sizeof (EFI_HII_IIBT_IMAGE_8BIT_BLOCK) - sizeof (UINT8) +
> BITMAP_LEN_8_BIT (
> - ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *)
> CurrentImageBlock)->Bitmap.Width),
> + (UINT32) ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *)
> CurrentImageBlock)->Bitmap.Width),
> ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *)
> CurrentImageBlock)->Bitmap.Height)
> );
> ImageIdCurrent++;
> break;
>
> case EFI_HII_IIBT_IMAGE_24BIT:
> case EFI_HII_IIBT_IMAGE_24BIT_TRANS:
> Length = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof
> (EFI_HII_RGB_PIXEL) +
> BITMAP_LEN_24_BIT (
> - ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
> CurrentImageBlock)->Bitmap.Width),
> + (UINT32) ReadUnaligned16 ((VOID *)
> &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width),
> ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
> CurrentImageBlock)->Bitmap.Height)
> );
> ImageIdCurrent++;
> break;
>
> @@ -451,11 +451,11 @@ Output8bitPixel (
>
> //
> // Convert the pixel from 8 bits to corresponding color.
> //
> for (Ypos = 0; Ypos < Image->Height; Ypos++) {
> - OffsetY = BITMAP_LEN_8_BIT (Image->Width, Ypos);
> + OffsetY = BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos);
> //
> // All bits are meaningful since the bitmap is 8 bits per pixel.
> //
> for (Xpos = 0; Xpos < Image->Width; Xpos++) {
> Byte = *(Data + OffsetY + Xpos);
> @@ -491,11 +491,11 @@ Output24bitPixel (
> ASSERT (Image != NULL && Data != NULL);
>
> BitMapPtr = Image->Bitmap;
>
> for (Ypos = 0; Ypos < Image->Height; Ypos++) {
> - OffsetY = BITMAP_LEN_8_BIT (Image->Width, Ypos);
> + OffsetY = BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos);
> CopyRgbToGopPixel (&BitMapPtr[OffsetY], &Data[OffsetY], Image->Width);
> }
>
> }
>
> @@ -648,11 +648,11 @@ HiiNewImage (
> if (PackageListNode == NULL) {
> return EFI_NOT_FOUND;
> }
>
> NewBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof
> (EFI_HII_RGB_PIXEL) +
> - BITMAP_LEN_24_BIT (Image->Width, Image->Height);
> + BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height);
>
> //
> // Get the image package in the package list,
> // or create a new image package if image package does not exist.
> //
> @@ -751,11 +751,11 @@ HiiNewImage (
> } else {
> ImageBlocks->BlockType = EFI_HII_IIBT_IMAGE_24BIT;
> }
> WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
> ImageBlocks)->Bitmap.Width, Image->Width);
> WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
> ImageBlocks)->Bitmap.Height, Image->Height);
> - CopyGopToRgbPixel (((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) ImageBlocks)-
> >Bitmap.Bitmap, Image->Bitmap, Image->Width * Image->Height);
> + CopyGopToRgbPixel (((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) ImageBlocks)-
> >Bitmap.Bitmap, Image->Bitmap, (UINT32) Image->Width * Image->Height);
>
> //
> // Append the block end
> //
> ImageBlocks = (EFI_HII_IMAGE_BLOCK *) ((UINT8 *) ImageBlocks +
> NewBlockSize);
> @@ -894,11 +894,11 @@ IGetImage (
> //
> // Use the common block code since the definition of these structures is the
> same.
> //
> CopyMem (&Iibt1bit, CurrentImageBlock, sizeof
> (EFI_HII_IIBT_IMAGE_1BIT_BLOCK));
> ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) *
> - (Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height);
> + ((UINT32) Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height);
> Image->Bitmap = AllocateZeroPool (ImageLength);
> if (Image->Bitmap == NULL) {
> return EFI_OUT_OF_RESOURCES;
> }
>
> @@ -945,11 +945,11 @@ IGetImage (
> // fall through
> //
> case EFI_HII_IIBT_IMAGE_24BIT:
> Width = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK
> *) CurrentImageBlock)->Bitmap.Width);
> Height = ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK
> *) CurrentImageBlock)->Bitmap.Height);
> - ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) * (Width *
> Height);
> + ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) * ((UINT32)
> Width * Height);
> Image->Bitmap = AllocateZeroPool (ImageLength);
> if (Image->Bitmap == NULL) {
> return EFI_OUT_OF_RESOURCES;
> }
>
> @@ -1093,19 +1093,19 @@ HiiSetImage (
> break;
> case EFI_HII_IIBT_IMAGE_8BIT:
> case EFI_HII_IIBT_IMAGE_8BIT_TRANS:
> OldBlockSize = sizeof (EFI_HII_IIBT_IMAGE_8BIT_BLOCK) - sizeof (UINT8) +
> BITMAP_LEN_8_BIT (
> - ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *)
> CurrentImageBlock)->Bitmap.Width),
> + (UINT32) ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK
> *) CurrentImageBlock)->Bitmap.Width),
> ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *)
> CurrentImageBlock)->Bitmap.Height)
> );
> break;
> case EFI_HII_IIBT_IMAGE_24BIT:
> case EFI_HII_IIBT_IMAGE_24BIT_TRANS:
> OldBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof
> (EFI_HII_RGB_PIXEL) +
> BITMAP_LEN_24_BIT (
> - ReadUnaligned16 ((VOID *)
> &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width),
> + (UINT32) ReadUnaligned16 ((VOID *)
> &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width),
> ReadUnaligned16 ((VOID *)
> &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Height)
> );
> break;
> default:
> return EFI_NOT_FOUND;
> @@ -1113,11 +1113,11 @@ HiiSetImage (
>
> //
> // Create the new image block according to input image.
> //
> NewBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof
> (EFI_HII_RGB_PIXEL) +
> - BITMAP_LEN_24_BIT (Image->Width, Image->Height);
> + BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height);
> //
> // Adjust the image package to remove the original block firstly then add the
> new block.
> //
> ImageBlocks = AllocateZeroPool (ImagePackage->ImageBlockSize +
> NewBlockSize - OldBlockSize);
> if (ImageBlocks == NULL) {
> @@ -1138,11 +1138,11 @@ HiiSetImage (
> NewImageBlock->BlockType = EFI_HII_IIBT_IMAGE_24BIT;
> }
> WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
> NewImageBlock)->Bitmap.Width, Image->Width);
> WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
> NewImageBlock)->Bitmap.Height, Image->Height);
> CopyGopToRgbPixel (((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *)
> NewImageBlock)->Bitmap.Bitmap,
> - Image->Bitmap, Image->Width * Image->Height);
> + Image->Bitmap, (UINT32) Image->Width * Image->Height);
>
> CopyMem ((UINT8 *) NewImageBlock + NewBlockSize, (UINT8 *)
> CurrentImageBlock + OldBlockSize, Part2Size);
>
> FreePool (ImagePackage->ImageBlock);
> ImagePackage->ImageBlock = ImageBlocks;
> --
> 1.9.5.msysgit.1
prev parent reply other threads:[~2017-04-13 1:47 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-12 7:08 [patch] MdeModulePkg/HiiDB: Avoid incorrect results of multiplication Dandan Bi
2017-04-13 1:47 ` Wu, Hao A [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=B80AF82E9BFB8E4FBD8C89DA810C6A0931C987C5@SHSMSX104.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox