From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 2328620D7648C for ; Wed, 12 Apr 2017 18:47:50 -0700 (PDT) Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Apr 2017 18:47:49 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.37,192,1488873600"; d="scan'208";a="88477957" Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202]) by fmsmga006.fm.intel.com with ESMTP; 12 Apr 2017 18:47:49 -0700 Received: from fmsmsx112.amr.corp.intel.com (10.18.116.6) by fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 12 Apr 2017 18:47:49 -0700 Received: from shsmsx103.ccr.corp.intel.com (10.239.4.69) by FMSMSX112.amr.corp.intel.com (10.18.116.6) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 12 Apr 2017 18:47:49 -0700 Received: from shsmsx104.ccr.corp.intel.com ([169.254.5.178]) by SHSMSX103.ccr.corp.intel.com ([169.254.4.117]) with mapi id 14.03.0319.002; Thu, 13 Apr 2017 09:47:47 +0800 From: "Wu, Hao A" To: "Bi, Dandan" , "edk2-devel@lists.01.org" CC: "Dong, Eric" , "Gao, Liming" Thread-Topic: [patch] MdeModulePkg/HiiDB: Avoid incorrect results of multiplication Thread-Index: AQHSs1vGI0sYLPboT02Sk3guh8bj9qHCiPTg Date: Thu, 13 Apr 2017 01:47:47 +0000 Message-ID: References: <1491980931-115060-1-git-send-email-dandan.bi@intel.com> In-Reply-To: <1491980931-115060-1-git-send-email-dandan.bi@intel.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [patch] MdeModulePkg/HiiDB: Avoid incorrect results of multiplication X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Apr 2017 01:47:50 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Hao Wu Best Regards, Hao Wu > -----Original Message----- > From: Bi, Dandan > Sent: Wednesday, April 12, 2017 3:09 PM > To: edk2-devel@lists.01.org > Cc: Dong, Eric; Gao, Liming; Wu, Hao A > Subject: [patch] MdeModulePkg/HiiDB: Avoid incorrect results of multiplic= ation >=20 > An example: > The codes in function Output8bitPixel in Image.c: > OffsetY =3D BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos); >=20 > Both Image->Width and Ypos are of type UINT16. They will be promoted to > int (signed) first, and then perform the multiplication defined by macro > BITMAP_LEN_8_BIT. If the result of multiplication between Image->Width an= d > Ypos exceeds the range of type int, a potential incorrect results > will be assigned to OffsetY. >=20 > This commit adds explicit UINT32 type cast for 'Image->Width' to avoid > possible overflow in the int range. And also fix similar issues in > HiiDatabase. >=20 > Cc: Eric Dong > Cc: Liming Gao > Cc: Hao Wu > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Dandan Bi > --- > MdeModulePkg/Universal/HiiDatabaseDxe/Image.c | 24 ++++++++++++--------- > --- > 1 file changed, 12 insertions(+), 12 deletions(-) >=20 > diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c > b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c > index e2fa16e..431a5b8 100644 > --- a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c > +++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c > @@ -103,21 +103,21 @@ GetImageIdOrAddress ( >=20 > case EFI_HII_IIBT_IMAGE_8BIT: > case EFI_HII_IIBT_IMAGE_8BIT_TRANS: > Length =3D sizeof (EFI_HII_IIBT_IMAGE_8BIT_BLOCK) - sizeof (UINT8)= + > BITMAP_LEN_8_BIT ( > - ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *) > CurrentImageBlock)->Bitmap.Width), > + (UINT32) ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BL= OCK *) > CurrentImageBlock)->Bitmap.Width), > ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *) > CurrentImageBlock)->Bitmap.Height) > ); > ImageIdCurrent++; > break; >=20 > case EFI_HII_IIBT_IMAGE_24BIT: > case EFI_HII_IIBT_IMAGE_24BIT_TRANS: > Length =3D sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof > (EFI_HII_RGB_PIXEL) + > BITMAP_LEN_24_BIT ( > - ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_B= LOCK *) > CurrentImageBlock)->Bitmap.Width), > + (UINT32) ReadUnaligned16 ((VOID *) > &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width), > ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_B= LOCK *) > CurrentImageBlock)->Bitmap.Height) > ); > ImageIdCurrent++; > break; >=20 > @@ -451,11 +451,11 @@ Output8bitPixel ( >=20 > // > // Convert the pixel from 8 bits to corresponding color. > // > for (Ypos =3D 0; Ypos < Image->Height; Ypos++) { > - OffsetY =3D BITMAP_LEN_8_BIT (Image->Width, Ypos); > + OffsetY =3D BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos); > // > // All bits are meaningful since the bitmap is 8 bits per pixel. > // > for (Xpos =3D 0; Xpos < Image->Width; Xpos++) { > Byte =3D *(Data + OffsetY + Xpos); > @@ -491,11 +491,11 @@ Output24bitPixel ( > ASSERT (Image !=3D NULL && Data !=3D NULL); >=20 > BitMapPtr =3D Image->Bitmap; >=20 > for (Ypos =3D 0; Ypos < Image->Height; Ypos++) { > - OffsetY =3D BITMAP_LEN_8_BIT (Image->Width, Ypos); > + OffsetY =3D BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos); > CopyRgbToGopPixel (&BitMapPtr[OffsetY], &Data[OffsetY], Image->Width= ); > } >=20 > } >=20 > @@ -648,11 +648,11 @@ HiiNewImage ( > if (PackageListNode =3D=3D NULL) { > return EFI_NOT_FOUND; > } >=20 > NewBlockSize =3D sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof > (EFI_HII_RGB_PIXEL) + > - BITMAP_LEN_24_BIT (Image->Width, Image->Height); > + BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height= ); >=20 > // > // Get the image package in the package list, > // or create a new image package if image package does not exist. > // > @@ -751,11 +751,11 @@ HiiNewImage ( > } else { > ImageBlocks->BlockType =3D EFI_HII_IIBT_IMAGE_24BIT; > } > WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) > ImageBlocks)->Bitmap.Width, Image->Width); > WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) > ImageBlocks)->Bitmap.Height, Image->Height); > - CopyGopToRgbPixel (((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) ImageBlocks)- > >Bitmap.Bitmap, Image->Bitmap, Image->Width * Image->Height); > + CopyGopToRgbPixel (((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) ImageBlocks)- > >Bitmap.Bitmap, Image->Bitmap, (UINT32) Image->Width * Image->Height); >=20 > // > // Append the block end > // > ImageBlocks =3D (EFI_HII_IMAGE_BLOCK *) ((UINT8 *) ImageBlocks + > NewBlockSize); > @@ -894,11 +894,11 @@ IGetImage ( > // > // Use the common block code since the definition of these structure= s is the > same. > // > CopyMem (&Iibt1bit, CurrentImageBlock, sizeof > (EFI_HII_IIBT_IMAGE_1BIT_BLOCK)); > ImageLength =3D sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) * > - (Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height); > + ((UINT32) Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Heig= ht); > Image->Bitmap =3D AllocateZeroPool (ImageLength); > if (Image->Bitmap =3D=3D NULL) { > return EFI_OUT_OF_RESOURCES; > } >=20 > @@ -945,11 +945,11 @@ IGetImage ( > // fall through > // > case EFI_HII_IIBT_IMAGE_24BIT: > Width =3D ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOC= K > *) CurrentImageBlock)->Bitmap.Width); > Height =3D ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLO= CK > *) CurrentImageBlock)->Bitmap.Height); > - ImageLength =3D sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) * (Width * > Height); > + ImageLength =3D sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) * ((UINT32) > Width * Height); > Image->Bitmap =3D AllocateZeroPool (ImageLength); > if (Image->Bitmap =3D=3D NULL) { > return EFI_OUT_OF_RESOURCES; > } >=20 > @@ -1093,19 +1093,19 @@ HiiSetImage ( > break; > case EFI_HII_IIBT_IMAGE_8BIT: > case EFI_HII_IIBT_IMAGE_8BIT_TRANS: > OldBlockSize =3D sizeof (EFI_HII_IIBT_IMAGE_8BIT_BLOCK) - sizeof (UI= NT8) + > BITMAP_LEN_8_BIT ( > - ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *= ) > CurrentImageBlock)->Bitmap.Width), > + (UINT32) ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BI= T_BLOCK > *) CurrentImageBlock)->Bitmap.Width), > ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *= ) > CurrentImageBlock)->Bitmap.Height) > ); > break; > case EFI_HII_IIBT_IMAGE_24BIT: > case EFI_HII_IIBT_IMAGE_24BIT_TRANS: > OldBlockSize =3D sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof > (EFI_HII_RGB_PIXEL) + > BITMAP_LEN_24_BIT ( > - ReadUnaligned16 ((VOID *) > &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width), > + (UINT32) ReadUnaligned16 ((VOID *) > &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width), > ReadUnaligned16 ((VOID *) > &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Height) > ); > break; > default: > return EFI_NOT_FOUND; > @@ -1113,11 +1113,11 @@ HiiSetImage ( >=20 > // > // Create the new image block according to input image. > // > NewBlockSize =3D sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof > (EFI_HII_RGB_PIXEL) + > - BITMAP_LEN_24_BIT (Image->Width, Image->Height); > + BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height= ); > // > // Adjust the image package to remove the original block firstly then = add the > new block. > // > ImageBlocks =3D AllocateZeroPool (ImagePackage->ImageBlockSize + > NewBlockSize - OldBlockSize); > if (ImageBlocks =3D=3D NULL) { > @@ -1138,11 +1138,11 @@ HiiSetImage ( > NewImageBlock->BlockType =3D EFI_HII_IIBT_IMAGE_24BIT; > } > WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) > NewImageBlock)->Bitmap.Width, Image->Width); > WriteUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) > NewImageBlock)->Bitmap.Height, Image->Height); > CopyGopToRgbPixel (((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) > NewImageBlock)->Bitmap.Bitmap, > - Image->Bitmap, Image->Width * Image->Height); > + Image->Bitmap, (UINT32) Image->Width * Image->Hei= ght); >=20 > CopyMem ((UINT8 *) NewImageBlock + NewBlockSize, (UINT8 *) > CurrentImageBlock + OldBlockSize, Part2Size); >=20 > FreePool (ImagePackage->ImageBlock); > ImagePackage->ImageBlock =3D ImageBlocks; > -- > 1.9.5.msysgit.1