From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.45]) by mx.groups.io with SMTP id smtpd.web12.9924.1589535052003310230 for ; Fri, 15 May 2020 02:30:53 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: ispras.ru, ip: 83.149.199.45, mailfrom: cheptsov@ispras.ru) Received: from [127.0.0.1] (unknown [77.232.9.83]) by mail.ispras.ru (Postfix) with ESMTPSA id EAC13CD463; Fri, 15 May 2020 12:30:47 +0300 (MSK) From: "Vitaly Cheptsov" Message-Id: Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Subject: Re: [EXTERNAL] [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks Date: Fri, 15 May 2020 12:30:46 +0300 In-Reply-To: Cc: "devel@edk2.groups.io" , Andrew Fish , Ard Biesheuvel , "Brian J . Johnson" , "Chiu, Chasel" , "Justen, Jordan L" , Laszlo Ersek , Leif Lindholm , "Gao, Liming" , "Zimmer, Vincent" , "Gao, Zhichao" To: "Kinney, Michael D" , "bret.barkelew@microsoft.com" , =?utf-8?Q?Marvin_H=C3=A4user?= References: <20200514092537.29609-1-cheptsov@ispras.ru> <20200514092537.29609-2-cheptsov@ispras.ru> X-Mailer: Apple Mail (2.3608.80.23.2.2) X-Groupsio-MsgNum: 59669 Content-Type: multipart/signed; boundary="Apple-Mail=_95C42E37-90BB-4329-B64A-20451F44B36F"; protocol="application/pgp-signature"; micalg=pgp-sha512 --Apple-Mail=_95C42E37-90BB-4329-B64A-20451F44B36F Content-Type: multipart/alternative; boundary="Apple-Mail=_4D45B15F-C452-47D2-8446-C8A3A75DA056" --Apple-Mail=_4D45B15F-C452-47D2-8446-C8A3A75DA056 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Mike, Bret, The assertion in UnicodeStrnToAsciiStrS is currently not a runtime check b= ut a precondition. I.e. the function does not work with such sequences. I fully agree that it is not right, and that we should actually update the= documentation and change it to the following construction (0x80 instead of= 0x100 for 7-bit ASCII and =E2=80=98?=E2=80=99 for invalid patch): if (*Source < 0x80) { *(Destination++) =3D (CHAR8) *(Source++); } else { *(Destination++) =3D =E2=80=98?'; } However, it has to be out of the scope of this patch due to the nature of = the change: function behaviour change for RELEASE instead of assertion remo= val for the runtime check as for all the rest. Should file a bugzilla as we= ll. As for alignment, I believe Marvin explained it well, and I have nothing t= o add there. There is no need to change the patch anyhow. Best wishes, Vitaly > 15 =D0=BC=D0=B0=D1=8F 2020 =D0=B3., =D0=B2 01:14, Kinney, Michael D =D0=BD=D0=B0=D0=BF=D0=B8=D1=81=D0=B0=D0=BB(=D0=B0)= : >=20 > Bret, >=20 > I agree with all your points. Which is why I am asking if we should add= ress this in the current patch under review. >=20 > I will also point out that another way to get an off pointer address val= ue for a CHAR16 is through use of packed structures. If a CHAR16 string is= in a packaged structure and starts at an odd byte offset, then directly pa= ssing the CHAR16 string field to one of these APIs will ASSERT() or generat= e an exception if the ASSERT()s are removed. When using packed structures,= fields that are larger than 1-byte need to either be copied to an aligned = location or accessed using the Unaligned Read/Write APIs. >=20 > Mike >=20 > From: devel@edk2.groups.io > On Behalf Of Bret Barkelew via groups= .io > Sent: Thursday, May 14, 2020 2:15 PM > To: devel@edk2.groups.io ; Kinney, Michael = D >; cheptso= v@ispras.ru > Cc: Andrew Fish >; Ard Biesheuv= el >; Brian J = . Johnson >; Chiu, Cha= sel >; Justen, Jordan = L >; Laszlo Er= sek >; Leif Lindholm >; Gao, Liming >; Marvin H=C3=A4user >; Zimmer, Vincent >; Gao, Zhichao > > Subject: Re: [EXTERNAL] Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix Safe= String performing assertions on runtime checks >=20 > Why isn=E2=80=99t that a failed return value? > That would be unexpected behavior in RELEASE. >=20 > Either that, or the function should take in a substitution character (e.= g. =E2=80=98?=E2=80=99) for invalid characters. >=20 > The prototype of this function is bad if it doesn=E2=80=99t allow for th= is possibility, and an ASSERT isn=E2=80=99t making code any better/safer by= only ASSERTing. >=20 > - Bret >=20 > From: Michael D Kinney via groups.io > Sent: Thursday, May 14, 2020 2:07 PM > To: devel@edk2.groups.io ; cheptsov@ispras.= ru ; Kinney, Michael D > Cc: Andrew Fish ; Ard Biesheuvel ; Bret Barkelew ; Br= ian J . Johnson ; Chiu, Chasel ; Justen, Jordan L ; Lasz= lo Ersek ; Leif Lindholm ; liming.gao ; Marvin H=C3=A4user ; Zimmer, Vincent ; Gao,= Zhichao > Subject: [EXTERNAL] Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeStri= ng performing assertions on runtime checks >=20 > Hi Vitaly, >=20 > What about this ASSERT() in UnicodeStrnToAsciiStrS(). It is an ASSERT()= on the data contents. >=20 > // > // Convert string > // > while ((*Source !=3D 0) && (SourceLen > 0)) { > // > // If any Unicode characters in Source contain non-zero value in the= upper > // 8 bits, then ASSERT(). > // > ASSERT (*Source < 0x100); > *(Destination++) =3D (CHAR8) *(Source++); > SourceLen--; > (*DestinationLength)++; > } > *Destination =3D 0; >=20 > Mike >=20 > From: devel@edk2.groups.io > On Behalf Of Vitaly Cheptsov > Sent: Thursday, May 14, 2020 11:59 AM > To: Kinney, Michael D > > Cc: devel@edk2.groups.io ; Andrew Fish >; Ard Biesheuvel >; Bret Barkelew >; Brian J . Johnson >; Chiu, Chasel >; Justen, Jordan L >; Laszlo Ersek >; Leif Lindholm >; Gao, Liming >; Marvin H=C3=A4user >; Zimmer, Vincent >; Gao, Zhichao > > Subject: Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performi= ng assertions on runtime checks >=20 > Mike, >=20 > The code you posted may inflict undefined behaviour is not valid C for s= everal reasons. The compiler is free to do whatever it desires. Please refe= r to ISO/IEC 9899 for more details. >=20 > If applications cast raw pointers to typed pointers without checking the= ir alignment, well, god bless them :) > My opinion is both the compiler and the hardware are welcome to do the w= orst once your third line is discovered. On a number of CPUs such addresses= cannot be even represented in the first place. >=20 > Yet, once again it is out of the scope of the current problem. >=20 > Best wishes, > Vitaly >=20 >=20 >=20 > 14 =D0=BC=D0=B0=D1=8F 2020 =D0=B3., =D0=B2 20:58, Kinney, Michael D > =D0=BD=D0=B0= =D0=BF=D0=B8=D1=81=D0=B0=D0=BB(=D0=B0): >=20 > Vitaly, >=20 > Why do you think there is no way to craft an odd address > without memory corruption. >=20 > UINT8 ByteArray[100]; > CHAR16 *String >=20 > String =3D (CHAR16 *)(&Array[3]); >=20 > The reason I raised the question of these other ASSERT()s > is that I thought the use case was using these safe string > APIs from a UEFI App, and the UEFI App always wants to evaluate > the return status to know if the operation was completed or > not. In build that removes all ASSERT()s, an odd address > will generate an exception on some CPU archs. Wouldn=E2=80=99t it > be better for the UEFI App that is already designed to handle > error return status to get an error code instead of an > exception? >=20 > Mike >=20 >=20 > -----Original Message----- > From: devel@edk2.groups.io > On > Behalf Of Vitaly Cheptsov > Sent: Thursday, May 14, 2020 10:39 AM > To: Kinney, Michael D > > Cc: devel@edk2.groups.io ; Andrew Fish > >; Ard Biesheuvel > >; Bret Bar= kelew > >; Bria= n J . Johnson > >; Chiu, Chasel > >; Justen, Jordan L > >; Laszlo E= rsek > >; Leif Lindholm >; > Gao, Liming >; Marvin= H=C3=A4user > >; Zimmer, Vincent > >; Gao, Zhich= ao > > > Subject: Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix > SafeString performing assertions on runtime checks >=20 > Mike, >=20 > Firstly, NULL check and odd-address checks are > essentially different things: > =E2=80=94 NULL address is basically =C2=ABno object=C2=BB, =C2=ABoptiona= l > argument=C2=BB (e.g. failed allocation). > =E2=80=94 Odd address is memory corruption, as there is no way > to craft such address anyhow else. > For this reason the implementation is allowed to treat > them differently. >=20 > Secondly, as I said in my cover letter there is no > behaviour change here for RELEASE builds. Behaviour > changes unrelated to the bugfix will have to go to a > separate patch. I agree that we may want to reconsider > the interface in the future, but that=E2=80=99s for a separate > bugzilla and patch. Not discussing it currently is > important to avoid diverting from the primary problem. > Could create a bugzilla not to forget about it soon > after the stable tag. >=20 > Best wishes, > Vitaly >=20 >=20 > 14 =D0=BC=D0=B0=D1=8F 2020 =D0=B3., =D0=B2 19:38, Kinney, Michael D > > =D0=BD= =D0=B0=D0=BF=D0=B8=D1=81=D0=B0=D0=BB(=D0=B0): >=20 >=20 > Why preserve the ASSERT()s for an a Unicode strings > that are not aligned in a 16-bit boundary? >=20 > This is essentially the same as an invalid pointer > value >=20 > just like NULL. If NULL pointer returns an error > code, >=20 > shouldn't and invalid pointer value? >=20 > Thanks, >=20 > Mike >=20 >=20 > -----Original Message----- > From: devel@edk2.groups.io > On > Behalf Of Vitaly Cheptsov > Sent: Thursday, May 14, 2020 2:26 AM > To: devel@edk2.groups.io > Cc: Andrew Fish >; Ard Biesheuv= el > >; Bret Bar= kelew > >; Bria= n J . Johnson > >; Chiu, Chasel > >; Justen, Jordan L > >; Laszlo E= rsek > >; Leif Lindholm > >; >=20 > Gao, Liming >; Marvin= H=C3=A4user > >; Kinney, Michael D > >; Zimmer= , Vincent > >; Gao, Zhich= ao > > > Subject: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix > SafeString performing assertions on runtime checks >=20 > REF: > https://bugzilla.tianocore.org/show_bug.cgi?id=3D2054 >=20 >=20 >=20 >=20 >=20 > Runtime checks returned via status return code > should >=20 > not work as >=20 >=20 > assertions to permit parsing not trusted data with > SafeString >=20 >=20 > interfaces. >=20 >=20 >=20 >=20 >=20 > CC: Andrew Fish > >=20 >=20 > CC: Ard Biesheuvel > >=20 >=20 > CC: Bret Barkelew > >=20 >=20 > CC: Brian J. Johnson > >=20 >=20 > CC: Chasel Chiu > >=20 >=20 > CC: Jordan Justen > >=20 >=20 > CC: Laszlo Ersek > >=20 >=20 > CC: Leif Lindholm > >=20 >=20 > CC: Liming Gao > >=20 >=20 > CC: Marvin H=C3=A4user = > >=20 >=20 > CC: Mike Kinney > >=20 >=20 > CC: Vincent Zimmer > >=20 >=20 > CC: Zhichao Gao > >=20 >=20 > Signed-off-by: Vitaly Cheptsov > > >=20 >=20 >=20 > --- >=20 >=20 > MdePkg/Include/Library/BaseLib.h | 120 ++-------- > -- >=20 > -------- >=20 >=20 > MdePkg/Library/BaseLib/SafeString.c | 80 ---------- > -- >=20 > - >=20 >=20 > 2 files changed, 7 insertions(+), 193 deletions(-) >=20 >=20 >=20 >=20 >=20 > diff --git a/MdePkg/Include/Library/BaseLib.h > b/MdePkg/Include/Library/BaseLib.h >=20 >=20 > index ecadff8b23..62dc3151bc 100644 >=20 >=20 > --- a/MdePkg/Include/Library/BaseLib.h >=20 >=20 > +++ b/MdePkg/Include/Library/BaseLib.h >=20 >=20 > @@ -189,7 +189,6 @@ StrnSizeS ( >=20 >=20 >=20 >=20 >=20 > If Destination is not aligned on a 16-bit > boundary, >=20 > then ASSERT(). >=20 >=20 > If Source is not aligned on a 16-bit boundary, > then >=20 > ASSERT(). >=20 >=20 > - If an error would be returned, then the function > will also ASSERT(). >=20 >=20 >=20 >=20 >=20 > If an error is returned, then the Destination is > unmodified. >=20 >=20 >=20 >=20 >=20 > @@ -225,7 +224,6 @@ StrCpyS ( >=20 >=20 >=20 >=20 >=20 > If Length > 0 and Destination is not aligned on a > 16-bit boundary, then ASSERT(). >=20 >=20 > If Length > 0 and Source is not aligned on a 16- > bit >=20 > boundary, then ASSERT(). >=20 >=20 > - If an error would be returned, then the function > will also ASSERT(). >=20 >=20 >=20 >=20 >=20 > If an error is returned, then the Destination is > unmodified. >=20 >=20 >=20 >=20 >=20 > @@ -263,7 +261,6 @@ StrnCpyS ( >=20 >=20 >=20 >=20 >=20 > If Destination is not aligned on a 16-bit > boundary, >=20 > then ASSERT(). >=20 >=20 > If Source is not aligned on a 16-bit boundary, > then >=20 > ASSERT(). >=20 >=20 > - If an error would be returned, then the function > will also ASSERT(). >=20 >=20 >=20 >=20 >=20 > If an error is returned, then the Destination is > unmodified. >=20 >=20 >=20 >=20 >=20 > @@ -303,7 +300,6 @@ StrCatS ( >=20 >=20 >=20 >=20 >=20 > If Destination is not aligned on a 16-bit > boundary, >=20 > then ASSERT(). >=20 >=20 > If Source is not aligned on a 16-bit boundary, > then >=20 > ASSERT(). >=20 >=20 > - If an error would be returned, then the function > will also ASSERT(). >=20 >=20 >=20 >=20 >=20 > If an error is returned, then the Destination is > unmodified. >=20 >=20 >=20 >=20 >=20 > @@ -350,12 +346,7 @@ StrnCatS ( >=20 >=20 > be ignored. Then, the function stops at the first > character that is a not a >=20 >=20 > valid decimal character or a Null-terminator, > whichever one comes first. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - If Data is NULL, then ASSERT(). >=20 >=20 > If String is not aligned in a 16-bit boundary, > then >=20 > ASSERT(). >=20 >=20 > - If PcdMaximumUnicodeStringLength is not zero, and > String contains more than >=20 >=20 > - PcdMaximumUnicodeStringLength Unicode characters, > not including the >=20 >=20 > - Null-terminator, then ASSERT(). >=20 >=20 >=20 >=20 >=20 > If String has no valid decimal digits in the above > format, then 0 is stored >=20 >=20 > at the location pointed to by Data. >=20 >=20 > @@ -406,12 +397,7 @@ StrDecimalToUintnS ( >=20 >=20 > be ignored. Then, the function stops at the first > character that is a not a >=20 >=20 > valid decimal character or a Null-terminator, > whichever one comes first. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - If Data is NULL, then ASSERT(). >=20 >=20 > If String is not aligned in a 16-bit boundary, > then >=20 > ASSERT(). >=20 >=20 > - If PcdMaximumUnicodeStringLength is not zero, and > String contains more than >=20 >=20 > - PcdMaximumUnicodeStringLength Unicode characters, > not including the >=20 >=20 > - Null-terminator, then ASSERT(). >=20 >=20 >=20 >=20 >=20 > If String has no valid decimal digits in the above > format, then 0 is stored >=20 >=20 > at the location pointed to by Data. >=20 >=20 > @@ -467,12 +453,7 @@ StrDecimalToUint64S ( >=20 >=20 > the first character that is a not a valid > hexadecimal character or NULL, >=20 >=20 > whichever one comes first. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - If Data is NULL, then ASSERT(). >=20 >=20 > If String is not aligned in a 16-bit boundary, > then >=20 > ASSERT(). >=20 >=20 > - If PcdMaximumUnicodeStringLength is not zero, and > String contains more than >=20 >=20 > - PcdMaximumUnicodeStringLength Unicode characters, > not including the >=20 >=20 > - Null-terminator, then ASSERT(). >=20 >=20 >=20 >=20 >=20 > If String has no valid hexadecimal digits in the > above format, then 0 is >=20 >=20 > stored at the location pointed to by Data. >=20 >=20 > @@ -528,12 +509,7 @@ StrHexToUintnS ( >=20 >=20 > the first character that is a not a valid > hexadecimal character or NULL, >=20 >=20 > whichever one comes first. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - If Data is NULL, then ASSERT(). >=20 >=20 > If String is not aligned in a 16-bit boundary, > then >=20 > ASSERT(). >=20 >=20 > - If PcdMaximumUnicodeStringLength is not zero, and > String contains more than >=20 >=20 > - PcdMaximumUnicodeStringLength Unicode characters, > not including the >=20 >=20 > - Null-terminator, then ASSERT(). >=20 >=20 >=20 >=20 >=20 > If String has no valid hexadecimal digits in the > above format, then 0 is >=20 >=20 > stored at the location pointed to by Data. >=20 >=20 > @@ -622,8 +598,6 @@ AsciiStrnSizeS ( >=20 >=20 >=20 >=20 >=20 > This function is similar as strcpy_s defined in > C11. >=20 >=20 >=20 >=20 >=20 >=20 > - If an error would be returned, then the function > will also ASSERT(). >=20 >=20 > - >=20 >=20 > If an error is returned, then the Destination is > unmodified. >=20 >=20 >=20 >=20 >=20 > @param Destination A pointer to a > Null-terminated Ascii string. >=20 >=20 > @@ -656,8 +630,6 @@ AsciiStrCpyS ( >=20 >=20 >=20 >=20 >=20 > This function is similar as strncpy_s defined in > C11. >=20 >=20 >=20 >=20 >=20 > - If an error would be returned, then the function > will also ASSERT(). >=20 >=20 > - >=20 >=20 > If an error is returned, then the Destination is > unmodified. >=20 >=20 >=20 >=20 >=20 > @param Destination A pointer to a > Null-terminated Ascii string. >=20 >=20 > @@ -692,8 +664,6 @@ AsciiStrnCpyS ( >=20 >=20 >=20 >=20 >=20 > This function is similar as strcat_s defined in > C11. >=20 >=20 >=20 >=20 >=20 >=20 > - If an error would be returned, then the function > will also ASSERT(). >=20 >=20 > - >=20 >=20 > If an error is returned, then the Destination is > unmodified. >=20 >=20 >=20 >=20 >=20 > @param Destination A pointer to a > Null-terminated Ascii string. >=20 >=20 > @@ -730,8 +700,6 @@ AsciiStrCatS ( >=20 >=20 >=20 >=20 >=20 > This function is similar as strncat_s defined in > C11. >=20 >=20 >=20 >=20 >=20 > - If an error would be returned, then the function > will also ASSERT(). >=20 >=20 > - >=20 >=20 > If an error is returned, then the Destination is > unmodified. >=20 >=20 >=20 >=20 >=20 > @param Destination A pointer to a > Null-terminated Ascii string. >=20 >=20 > @@ -777,12 +745,6 @@ AsciiStrnCatS ( >=20 >=20 > be ignored. Then, the function stops at the first > character that is a not a >=20 >=20 > valid decimal character or a Null-terminator, > whichever one comes first. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - If Data is NULL, then ASSERT(). >=20 >=20 > - If PcdMaximumAsciiStringLength is not zero, and > String contains more than >=20 >=20 > - PcdMaximumAsciiStringLength Ascii characters, not > including the >=20 >=20 > - Null-terminator, then ASSERT(). >=20 >=20 > - >=20 >=20 > If String has no valid decimal digits in the above > format, then 0 is stored >=20 >=20 > at the location pointed to by Data. >=20 >=20 > If the number represented by String exceeds the > range defined by UINTN, then >=20 >=20 > @@ -832,12 +794,6 @@ AsciiStrDecimalToUintnS ( >=20 >=20 > be ignored. Then, the function stops at the first > character that is a not a >=20 >=20 > valid decimal character or a Null-terminator, > whichever one comes first. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - If Data is NULL, then ASSERT(). >=20 >=20 > - If PcdMaximumAsciiStringLength is not zero, and > String contains more than >=20 >=20 > - PcdMaximumAsciiStringLength Ascii characters, not > including the >=20 >=20 > - Null-terminator, then ASSERT(). >=20 >=20 > - >=20 >=20 > If String has no valid decimal digits in the above > format, then 0 is stored >=20 >=20 > at the location pointed to by Data. >=20 >=20 > If the number represented by String exceeds the > range defined by UINT64, then >=20 >=20 > @@ -891,12 +847,6 @@ AsciiStrDecimalToUint64S ( >=20 >=20 > character that is a not a valid hexadecimal > character or Null-terminator, >=20 >=20 > whichever on comes first. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - If Data is NULL, then ASSERT(). >=20 >=20 > - If PcdMaximumAsciiStringLength is not zero, and > String contains more than >=20 >=20 > - PcdMaximumAsciiStringLength Ascii characters, not > including the >=20 >=20 > - Null-terminator, then ASSERT(). >=20 >=20 > - >=20 >=20 > If String has no valid hexadecimal digits in the > above format, then 0 is >=20 >=20 > stored at the location pointed to by Data. >=20 >=20 > If the number represented by String exceeds the > range defined by UINTN, then >=20 >=20 > @@ -950,12 +900,6 @@ AsciiStrHexToUintnS ( >=20 >=20 > character that is a not a valid hexadecimal > character or Null-terminator, >=20 >=20 > whichever on comes first. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - If Data is NULL, then ASSERT(). >=20 >=20 > - If PcdMaximumAsciiStringLength is not zero, and > String contains more than >=20 >=20 > - PcdMaximumAsciiStringLength Ascii characters, not > including the >=20 >=20 > - Null-terminator, then ASSERT(). >=20 >=20 > - >=20 >=20 > If String has no valid hexadecimal digits in the > above format, then 0 is >=20 >=20 > stored at the location pointed to by Data. >=20 >=20 > If the number represented by String exceeds the > range defined by UINT64, then >=20 >=20 > @@ -1506,16 +1450,8 @@ StrHexToUint64 ( >=20 >=20 > "::" can be used to compress one or more groups of > X >=20 > when X contains only 0. >=20 >=20 > The "::" can only appear once in the String. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - >=20 >=20 > - If Address is NULL, then ASSERT(). >=20 >=20 > - >=20 >=20 > If String is not aligned in a 16-bit boundary, > then >=20 > ASSERT(). >=20 >=20 >=20 >=20 >=20 > - If PcdMaximumUnicodeStringLength is not zero, and > String contains more than >=20 >=20 > - PcdMaximumUnicodeStringLength Unicode characters, > not including the >=20 >=20 > - Null-terminator, then ASSERT(). >=20 >=20 > - >=20 >=20 > If EndPointer is not NULL and Address is > translated >=20 > from String, a pointer >=20 >=20 > to the character that stopped the scan is stored > at >=20 > the location pointed to >=20 >=20 > by EndPointer. >=20 >=20 > @@ -1567,15 +1503,10 @@ StrToIpv6Address ( >=20 >=20 > When /P is in the String, the function stops at > the >=20 > first character that is not >=20 >=20 > a valid decimal digit character after P is > converted. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - >=20 >=20 > - If Address is NULL, then ASSERT(). >=20 >=20 > - >=20 >=20 > If String is not aligned in a 16-bit boundary, > then >=20 > ASSERT(). >=20 >=20 >=20 >=20 >=20 > If PcdMaximumUnicodeStringLength is not zero, and > String contains more than >=20 >=20 > PcdMaximumUnicodeStringLength Unicode characters, > not including the >=20 >=20 > - Null-terminator, then ASSERT(). >=20 >=20 >=20 >=20 >=20 > If EndPointer is not NULL and Address is > translated >=20 > from String, a pointer >=20 >=20 > to the character that stopped the scan is stored > at >=20 > the location pointed to >=20 >=20 > @@ -1640,8 +1571,6 @@ StrToIpv4Address ( >=20 >=20 > oo Data4[48:55] >=20 >=20 > pp Data4[56:63] >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - If Guid is NULL, then ASSERT(). >=20 >=20 > If String is not aligned in a 16-bit boundary, > then >=20 > ASSERT(). >=20 >=20 >=20 >=20 >=20 > @param String Pointer to a > Null- >=20 > terminated Unicode string. >=20 >=20 > @@ -1676,17 +1605,6 @@ StrToGuid ( >=20 >=20 >=20 >=20 >=20 > If String is not aligned in a 16-bit boundary, > then >=20 > ASSERT(). >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - >=20 >=20 > - If Buffer is NULL, then ASSERT(). >=20 >=20 > - >=20 >=20 > - If Length is not multiple of 2, then ASSERT(). >=20 >=20 > - >=20 >=20 > - If PcdMaximumUnicodeStringLength is not zero and > Length is greater than >=20 >=20 > - PcdMaximumUnicodeStringLength, then ASSERT(). >=20 >=20 > - >=20 >=20 > - If MaxBufferSize is less than (Length / 2), then > ASSERT(). >=20 >=20 > - >=20 >=20 > @param String Pointer to a > Null- >=20 > terminated Unicode string. >=20 >=20 > @param Length The number of > Unicode characters to decode. >=20 >=20 > @param Buffer Pointer to the > converted bytes array. >=20 >=20 > @@ -1777,7 +1695,6 @@ UnicodeStrToAsciiStr ( >=20 >=20 > the upper 8 bits, then ASSERT(). >=20 >=20 >=20 >=20 >=20 > If Source is not aligned on a 16-bit boundary, > then >=20 > ASSERT(). >=20 >=20 > - If an error would be returned, then the function > will also ASSERT(). >=20 >=20 >=20 >=20 >=20 > If an error is returned, then the Destination is > unmodified. >=20 >=20 >=20 >=20 >=20 > @@ -1818,22 +1735,23 @@ UnicodeStrToAsciiStrS ( >=20 >=20 > bits of each Unicode character. The function > terminates the Ascii string >=20 >=20 > Destination by appending a Null-terminator > character >=20 > at the end. >=20 >=20 >=20 >=20 >=20 > - The caller is responsible to make sure > Destination >=20 > points to a buffer with size >=20 >=20 > - equal or greater than ((StrLen (Source) + 1) * > sizeof (CHAR8)) in bytes. >=20 >=20 > + The caller is responsible to make sure > Destination >=20 > points to a buffer with >=20 >=20 > + size not smaller than ((MIN(StrLen(Source), > Length) >=20 > + 1) * sizeof (CHAR8)) >=20 >=20 > + in bytes. >=20 >=20 >=20 >=20 >=20 > If any Unicode characters in Source contain non- > zero >=20 > value in the upper 8 >=20 >=20 > bits, then ASSERT(). >=20 >=20 > If Source is not aligned on a 16-bit boundary, > then >=20 > ASSERT(). >=20 >=20 > - If an error would be returned, then the function > will also ASSERT(). >=20 >=20 >=20 >=20 >=20 > - If an error is returned, then the Destination is > unmodified. >=20 >=20 > + If an error is returned, then Destination and > DestinationLength are >=20 >=20 > + unmodified. >=20 >=20 >=20 >=20 >=20 > @param Source The pointer to a Null- > terminated Unicode string. >=20 >=20 > @param Length The maximum number of > Unicode characters to >=20 >=20 > convert. >=20 >=20 > @param Destination The pointer to a Null- > terminated Ascii string. >=20 >=20 > - @param DestMax The maximum number of > Destination Ascii >=20 >=20 > - char, including > terminating null char. >=20 >=20 > + @param DestMax The maximum number of > Destination Ascii char, >=20 >=20 > + including terminating > null char. >=20 >=20 > @param DestinationLength The number of Unicode > characters converted. >=20 >=20 >=20 >=20 >=20 > @retval RETURN_SUCCESS String is > converted. >=20 >=20 > @@ -2388,10 +2306,6 @@ AsciiStrHexToUint64 ( >=20 >=20 > "::" can be used to compress one or more groups of > X >=20 > when X contains only 0. >=20 >=20 > The "::" can only appear once in the String. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - >=20 >=20 > - If Address is NULL, then ASSERT(). >=20 >=20 > - >=20 >=20 > If EndPointer is not NULL and Address is > translated >=20 > from String, a pointer >=20 >=20 > to the character that stopped the scan is stored > at >=20 > the location pointed to >=20 >=20 > by EndPointer. >=20 >=20 > @@ -2443,10 +2357,6 @@ AsciiStrToIpv6Address ( >=20 >=20 > When /P is in the String, the function stops at > the >=20 > first character that is not >=20 >=20 > a valid decimal digit character after P is > converted. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - >=20 >=20 > - If Address is NULL, then ASSERT(). >=20 >=20 > - >=20 >=20 > If EndPointer is not NULL and Address is > translated >=20 > from String, a pointer >=20 >=20 > to the character that stopped the scan is stored > at >=20 > the location pointed to >=20 >=20 > by EndPointer. >=20 >=20 > @@ -2508,9 +2418,6 @@ AsciiStrToIpv4Address ( >=20 >=20 > oo Data4[48:55] >=20 >=20 > pp Data4[56:63] >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - If Guid is NULL, then ASSERT(). >=20 >=20 > - >=20 >=20 > @param String Pointer to a > Null- >=20 > terminated ASCII string. >=20 >=20 > @param Guid Pointer to the > converted GUID. >=20 >=20 >=20 >=20 >=20 > @@ -2541,17 +2448,6 @@ AsciiStrToGuid ( >=20 >=20 > decoding stops after Length of characters and > outputs Buffer containing >=20 >=20 > (Length / 2) bytes. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - >=20 >=20 > - If Buffer is NULL, then ASSERT(). >=20 >=20 > - >=20 >=20 > - If Length is not multiple of 2, then ASSERT(). >=20 >=20 > - >=20 >=20 > - If PcdMaximumAsciiStringLength is not zero and > Length is greater than >=20 >=20 > - PcdMaximumAsciiStringLength, then ASSERT(). >=20 >=20 > - >=20 >=20 > - If MaxBufferSize is less than (Length / 2), then > ASSERT(). >=20 >=20 > - >=20 >=20 > @param String Pointer to a > Null- >=20 > terminated ASCII string. >=20 >=20 > @param Length The number of > ASCII >=20 > characters to decode. >=20 >=20 > @param Buffer Pointer to the > converted bytes array. >=20 >=20 > @@ -2632,7 +2528,6 @@ AsciiStrToUnicodeStr ( >=20 >=20 > equal or greater than ((AsciiStrLen (Source) + 1) > * >=20 > sizeof (CHAR16)) in bytes. >=20 >=20 >=20 >=20 >=20 > If Destination is not aligned on a 16-bit > boundary, >=20 > then ASSERT(). >=20 >=20 > - If an error would be returned, then the function > will also ASSERT(). >=20 >=20 >=20 >=20 >=20 > If an error is returned, then the Destination is > unmodified. >=20 >=20 >=20 >=20 >=20 > @@ -2678,7 +2573,6 @@ AsciiStrToUnicodeStrS ( >=20 >=20 > ((MIN(AsciiStrLen(Source), Length) + 1) * sizeof > (CHAR8)) in bytes. >=20 >=20 >=20 >=20 >=20 > If Destination is not aligned on a 16-bit > boundary, >=20 > then ASSERT(). >=20 >=20 > - If an error would be returned, then the function > will also ASSERT(). >=20 >=20 >=20 >=20 >=20 > If an error is returned, then Destination and > DestinationLength are >=20 >=20 > unmodified. >=20 >=20 > diff --git a/MdePkg/Library/BaseLib/SafeString.c > b/MdePkg/Library/BaseLib/SafeString.c >=20 >=20 > index 7dc03d2caa..1db42abb05 100644 >=20 >=20 > --- a/MdePkg/Library/BaseLib/SafeString.c >=20 >=20 > +++ b/MdePkg/Library/BaseLib/SafeString.c >=20 >=20 > @@ -14,7 +14,6 @@ >=20 >=20 >=20 >=20 >=20 > #define SAFE_STRING_CONSTRAINT_CHECK(Expression, > Status) \ >=20 >=20 > do { \ >=20 >=20 > - ASSERT (Expression); \ >=20 >=20 > if (!(Expression)) { \ >=20 >=20 > return Status; \ >=20 >=20 > } \ >=20 >=20 > @@ -197,7 +196,6 @@ StrnSizeS ( >=20 >=20 >=20 >=20 >=20 > If Destination is not aligned on a 16-bit > boundary, >=20 > then ASSERT(). >=20 >=20 > If Source is not aligned on a 16-bit boundary, > then >=20 > ASSERT(). >=20 >=20 > - If an error would be returned, then the function > will also ASSERT(). >=20 >=20 >=20 >=20 >=20 > If an error is returned, then the Destination is > unmodified. >=20 >=20 >=20 >=20 >=20 > @@ -279,7 +277,6 @@ StrCpyS ( >=20 >=20 >=20 >=20 >=20 > If Length > 0 and Destination is not aligned on a > 16-bit boundary, then ASSERT(). >=20 >=20 > If Length > 0 and Source is not aligned on a 16- > bit >=20 > boundary, then ASSERT(). >=20 >=20 > - If an error would be returned, then the function > will also ASSERT(). >=20 >=20 >=20 >=20 >=20 > If an error is returned, then the Destination is > unmodified. >=20 >=20 >=20 >=20 >=20 > @@ -372,7 +369,6 @@ StrnCpyS ( >=20 >=20 >=20 >=20 >=20 > If Destination is not aligned on a 16-bit > boundary, >=20 > then ASSERT(). >=20 >=20 > If Source is not aligned on a 16-bit boundary, > then >=20 > ASSERT(). >=20 >=20 > - If an error would be returned, then the function > will also ASSERT(). >=20 >=20 >=20 >=20 >=20 > If an error is returned, then the Destination is > unmodified. >=20 >=20 >=20 >=20 >=20 > @@ -473,7 +469,6 @@ StrCatS ( >=20 >=20 >=20 >=20 >=20 > If Destination is not aligned on a 16-bit > boundary, >=20 > then ASSERT(). >=20 >=20 > If Source is not aligned on a 16-bit boundary, > then >=20 > ASSERT(). >=20 >=20 > - If an error would be returned, then the function > will also ASSERT(). >=20 >=20 >=20 >=20 >=20 > If an error is returned, then the Destination is > unmodified. >=20 >=20 >=20 >=20 >=20 > @@ -590,12 +585,7 @@ StrnCatS ( >=20 >=20 > be ignored. Then, the function stops at the first > character that is a not a >=20 >=20 > valid decimal character or a Null-terminator, > whichever one comes first. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - If Data is NULL, then ASSERT(). >=20 >=20 > If String is not aligned in a 16-bit boundary, > then >=20 > ASSERT(). >=20 >=20 > - If PcdMaximumUnicodeStringLength is not zero, and > String contains more than >=20 >=20 > - PcdMaximumUnicodeStringLength Unicode characters, > not including the >=20 >=20 > - Null-terminator, then ASSERT(). >=20 >=20 >=20 >=20 >=20 > If String has no valid decimal digits in the above > format, then 0 is stored >=20 >=20 > at the location pointed to by Data. >=20 >=20 > @@ -705,12 +695,7 @@ StrDecimalToUintnS ( >=20 >=20 > be ignored. Then, the function stops at the first > character that is a not a >=20 >=20 > valid decimal character or a Null-terminator, > whichever one comes first. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - If Data is NULL, then ASSERT(). >=20 >=20 > If String is not aligned in a 16-bit boundary, > then >=20 > ASSERT(). >=20 >=20 > - If PcdMaximumUnicodeStringLength is not zero, and > String contains more than >=20 >=20 > - PcdMaximumUnicodeStringLength Unicode characters, > not including the >=20 >=20 > - Null-terminator, then ASSERT(). >=20 >=20 >=20 >=20 >=20 > If String has no valid decimal digits in the above > format, then 0 is stored >=20 >=20 > at the location pointed to by Data. >=20 >=20 > @@ -825,12 +810,7 @@ StrDecimalToUint64S ( >=20 >=20 > the first character that is a not a valid > hexadecimal character or NULL, >=20 >=20 > whichever one comes first. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - If Data is NULL, then ASSERT(). >=20 >=20 > If String is not aligned in a 16-bit boundary, > then >=20 > ASSERT(). >=20 >=20 > - If PcdMaximumUnicodeStringLength is not zero, and > String contains more than >=20 >=20 > - PcdMaximumUnicodeStringLength Unicode characters, > not including the >=20 >=20 > - Null-terminator, then ASSERT(). >=20 >=20 >=20 >=20 >=20 > If String has no valid hexadecimal digits in the > above format, then 0 is >=20 >=20 > stored at the location pointed to by Data. >=20 >=20 > @@ -956,12 +936,7 @@ StrHexToUintnS ( >=20 >=20 > the first character that is a not a valid > hexadecimal character or NULL, >=20 >=20 > whichever one comes first. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - If Data is NULL, then ASSERT(). >=20 >=20 > If String is not aligned in a 16-bit boundary, > then >=20 > ASSERT(). >=20 >=20 > - If PcdMaximumUnicodeStringLength is not zero, and > String contains more than >=20 >=20 > - PcdMaximumUnicodeStringLength Unicode characters, > not including the >=20 >=20 > - Null-terminator, then ASSERT(). >=20 >=20 >=20 >=20 >=20 > If String has no valid hexadecimal digits in the > above format, then 0 is >=20 >=20 > stored at the location pointed to by Data. >=20 >=20 > @@ -1856,8 +1831,6 @@ AsciiStrCpyS ( >=20 >=20 >=20 >=20 >=20 > This function is similar as strncpy_s defined in > C11. >=20 >=20 >=20 >=20 >=20 > - If an error would be returned, then the function > will also ASSERT(). >=20 >=20 > - >=20 >=20 > If an error is returned, then the Destination is > unmodified. >=20 >=20 >=20 >=20 >=20 > @param Destination A pointer to a > Null-terminated Ascii string. >=20 >=20 > @@ -1944,8 +1917,6 @@ AsciiStrnCpyS ( >=20 >=20 >=20 >=20 >=20 > This function is similar as strcat_s defined in > C11. >=20 >=20 >=20 >=20 >=20 >=20 > - If an error would be returned, then the function > will also ASSERT(). >=20 >=20 > - >=20 >=20 > If an error is returned, then the Destination is > unmodified. >=20 >=20 >=20 >=20 >=20 > @param Destination A pointer to a > Null-terminated Ascii string. >=20 >=20 > @@ -2040,8 +2011,6 @@ AsciiStrCatS ( >=20 >=20 >=20 >=20 >=20 > This function is similar as strncat_s defined in > C11. >=20 >=20 >=20 >=20 >=20 > - If an error would be returned, then the function > will also ASSERT(). >=20 >=20 > - >=20 >=20 > If an error is returned, then the Destination is > unmodified. >=20 >=20 >=20 >=20 >=20 > @param Destination A pointer to a > Null-terminated Ascii string. >=20 >=20 > @@ -2154,12 +2123,6 @@ AsciiStrnCatS ( >=20 >=20 > be ignored. Then, the function stops at the first > character that is a not a >=20 >=20 > valid decimal character or a Null-terminator, > whichever one comes first. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - If Data is NULL, then ASSERT(). >=20 >=20 > - If PcdMaximumAsciiStringLength is not zero, and > String contains more than >=20 >=20 > - PcdMaximumAsciiStringLength Ascii characters, not > including the >=20 >=20 > - Null-terminator, then ASSERT(). >=20 >=20 > - >=20 >=20 > If String has no valid decimal digits in the above > format, then 0 is stored >=20 >=20 > at the location pointed to by Data. >=20 >=20 > If the number represented by String exceeds the > range defined by UINTN, then >=20 >=20 > @@ -2266,12 +2229,6 @@ AsciiStrDecimalToUintnS ( >=20 >=20 > be ignored. Then, the function stops at the first > character that is a not a >=20 >=20 > valid decimal character or a Null-terminator, > whichever one comes first. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - If Data is NULL, then ASSERT(). >=20 >=20 > - If PcdMaximumAsciiStringLength is not zero, and > String contains more than >=20 >=20 > - PcdMaximumAsciiStringLength Ascii characters, not > including the >=20 >=20 > - Null-terminator, then ASSERT(). >=20 >=20 > - >=20 >=20 > If String has no valid decimal digits in the above > format, then 0 is stored >=20 >=20 > at the location pointed to by Data. >=20 >=20 > If the number represented by String exceeds the > range defined by UINT64, then >=20 >=20 > @@ -2382,12 +2339,6 @@ AsciiStrDecimalToUint64S ( >=20 >=20 > character that is a not a valid hexadecimal > character or Null-terminator, >=20 >=20 > whichever on comes first. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - If Data is NULL, then ASSERT(). >=20 >=20 > - If PcdMaximumAsciiStringLength is not zero, and > String contains more than >=20 >=20 > - PcdMaximumAsciiStringLength Ascii characters, not > including the >=20 >=20 > - Null-terminator, then ASSERT(). >=20 >=20 > - >=20 >=20 > If String has no valid hexadecimal digits in the > above format, then 0 is >=20 >=20 > stored at the location pointed to by Data. >=20 >=20 > If the number represented by String exceeds the > range defined by UINTN, then >=20 >=20 > @@ -2509,12 +2460,6 @@ AsciiStrHexToUintnS ( >=20 >=20 > character that is a not a valid hexadecimal > character or Null-terminator, >=20 >=20 > whichever on comes first. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - If Data is NULL, then ASSERT(). >=20 >=20 > - If PcdMaximumAsciiStringLength is not zero, and > String contains more than >=20 >=20 > - PcdMaximumAsciiStringLength Ascii characters, not > including the >=20 >=20 > - Null-terminator, then ASSERT(). >=20 >=20 > - >=20 >=20 > If String has no valid hexadecimal digits in the > above format, then 0 is >=20 >=20 > stored at the location pointed to by Data. >=20 >=20 > If the number represented by String exceeds the > range defined by UINT64, then >=20 >=20 > @@ -2635,7 +2580,6 @@ AsciiStrHexToUint64S ( >=20 >=20 > the upper 8 bits, then ASSERT(). >=20 >=20 >=20 >=20 >=20 > If Source is not aligned on a 16-bit boundary, > then >=20 > ASSERT(). >=20 >=20 > - If an error would be returned, then the function > will also ASSERT(). >=20 >=20 >=20 >=20 >=20 > If an error is returned, then the Destination is > unmodified. >=20 >=20 >=20 >=20 >=20 > @@ -2735,7 +2679,6 @@ UnicodeStrToAsciiStrS ( >=20 >=20 > If any Unicode characters in Source contain non- > zero >=20 > value in the upper 8 >=20 >=20 > bits, then ASSERT(). >=20 >=20 > If Source is not aligned on a 16-bit boundary, > then >=20 > ASSERT(). >=20 >=20 > - If an error would be returned, then the function > will also ASSERT(). >=20 >=20 >=20 >=20 >=20 > If an error is returned, then Destination and > DestinationLength are >=20 >=20 > unmodified. >=20 >=20 > @@ -2948,7 +2891,6 @@ AsciiStrToUnicodeStrS ( >=20 >=20 > ((MIN(AsciiStrLen(Source), Length) + 1) * sizeof > (CHAR8)) in bytes. >=20 >=20 >=20 >=20 >=20 > If Destination is not aligned on a 16-bit > boundary, >=20 > then ASSERT(). >=20 >=20 > - If an error would be returned, then the function > will also ASSERT(). >=20 >=20 >=20 >=20 >=20 > If an error is returned, then Destination and > DestinationLength are >=20 >=20 > unmodified. >=20 >=20 > @@ -3072,10 +3014,6 @@ AsciiStrnToUnicodeStrS ( >=20 >=20 > "::" can be used to compress one or more groups of > X >=20 > when X contains only 0. >=20 >=20 > The "::" can only appear once in the String. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - >=20 >=20 > - If Address is NULL, then ASSERT(). >=20 >=20 > - >=20 >=20 > If EndPointer is not NULL and Address is > translated >=20 > from String, a pointer >=20 >=20 > to the character that stopped the scan is stored > at >=20 > the location pointed to >=20 >=20 > by EndPointer. >=20 >=20 > @@ -3291,10 +3229,6 @@ AsciiStrToIpv6Address ( >=20 >=20 > When /P is in the String, the function stops at > the >=20 > first character that is not >=20 >=20 > a valid decimal digit character after P is > converted. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - >=20 >=20 > - If Address is NULL, then ASSERT(). >=20 >=20 > - >=20 >=20 > If EndPointer is not NULL and Address is > translated >=20 > from String, a pointer >=20 >=20 > to the character that stopped the scan is stored > at >=20 > the location pointed to >=20 >=20 > by EndPointer. >=20 >=20 > @@ -3448,9 +3382,6 @@ AsciiStrToIpv4Address ( >=20 >=20 > oo Data4[48:55] >=20 >=20 > pp Data4[56:63] >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - If Guid is NULL, then ASSERT(). >=20 >=20 > - >=20 >=20 > @param String Pointer to a > Null- >=20 > terminated ASCII string. >=20 >=20 > @param Guid Pointer to the > converted GUID. >=20 >=20 >=20 >=20 >=20 > @@ -3550,17 +3481,6 @@ AsciiStrToGuid ( >=20 >=20 > decoding stops after Length of characters and > outputs Buffer containing >=20 >=20 > (Length / 2) bytes. >=20 >=20 >=20 >=20 >=20 > - If String is NULL, then ASSERT(). >=20 >=20 > - >=20 >=20 > - If Buffer is NULL, then ASSERT(). >=20 >=20 > - >=20 >=20 > - If Length is not multiple of 2, then ASSERT(). >=20 >=20 > - >=20 >=20 > - If PcdMaximumAsciiStringLength is not zero and > Length is greater than >=20 >=20 > - PcdMaximumAsciiStringLength, then ASSERT(). >=20 >=20 > - >=20 >=20 > - If MaxBufferSize is less than (Length / 2), then > ASSERT(). >=20 >=20 > - >=20 >=20 > @param String Pointer to a > Null- >=20 > terminated ASCII string. >=20 >=20 > @param Length The number of > ASCII >=20 > characters to decode. >=20 >=20 > @param Buffer Pointer to the > converted bytes array. >=20 >=20 > -- >=20 >=20 > 2.24.2 (Apple Git-127) >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 --Apple-Mail=_4D45B15F-C452-47D2-8446-C8A3A75DA056 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Mike, Bret,

The assertion in UnicodeStrnToAsciiS= trS is currently not a runtime check but a precondition. I.e. the function = does not work with such sequences.

I fully agree that it is not right, and that we should ac= tually update the documentation and change it to the following construction= (0x80 instead of 0x100 for 7-bit ASCII and =E2=80=98?=E2=80=99 for invalid= patch): 

if= (*Source < 0x80) {
  *(Destination++) = =3D (CHAR8) *(Source++);
} else {
  *(Destination++) =3D =E2=80=98?';
}

However, it has to be= out of the scope of this patch due to the nature of the change: function b= ehaviour change for RELEASE instead of assertion removal for the runtime ch= eck as for all the rest. Should file a bugzilla as well.

As for alignment, I believe Marvin = explained it well, and I have nothing to add there. There is no need to cha= nge the patch anyhow.

Best wishes,
Vitaly

15 =D0=BC=D0=B0=D1=8F 2020 =D0=B3., =D0=B2 01:14, Kinney, Mic= hael D <michael= .d.kinney@intel.com> =D0=BD=D0=B0=D0=BF=D0=B8=D1=81=D0=B0=D0=BB(=D0= =B0):

Bret,
 <= /span>
I agree with all y= our points. &nb= sp;Which is why I am asking if we should address this in the = current patch under review.
 
I will also point out that anoth= er way to get an off pointer address value for a CHAR16 is through use of p= acked structures.  If a CHAR16 string is in a packaged structure and st= arts at an odd byte offset, then directly passing the CHAR16 string field t= o one of these APIs will ASSERT() or generate an exception if the ASSERT()s= are removed. &= nbsp;When using packed structures, fields that are larger tha= n 1-byte need to either be copied to an aligned location or accessed using = the Unaligned Read/Write APIs.
 
Mike
&nb= sp;
From: devel@edk2.gro= ups.io <devel@edk2.groups.io> On Behalf Of Bret Barkelew via groups.io
Sent: Thursday, May 14, 2020 2:15 PM
T= o: 
devel@edk2.groups.io; Kinney, Michael D <michael.d.kinney@intel.com>= ; cheptsov@ispras.ru
Cc: 
Andrew Fish <afish@apple.com>; Ard Biesheuvel <ard.biesheuvel@linaro.org>; B= rian J . Johnson <brian.johnson= @hpe.com>; Chiu, Chasel <chasel.chiu@intel.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Laszlo Ersek <= lersek@redhat.com>; Leif Lindho= lm <leif@nuviainc.com>; Gao,= Liming <liming.gao@intel.com>; Marvin H=C3=A4user <mhae= user@outlook.de>; Zimmer, Vincent <vincent.zimmer@intel.com>; Gao, Zhichao <zhichao.gao@intel.com>
= Subject: Re: [EXTERNAL] Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString per= forming assertions on runtime checks
 
Why isn=E2=80=99t that a failed return value?
That would be unexpected b= ehavior in RELEASE.
=  
Either that, = or the function should take in a substitution character (e.g. =E2=80=98?=E2= = =80=99) for invalid characters.
 
= The prototype of this function is bad if it doesn=E2=80=99t allow for this = possibility, and an ASSERT isn=E2=80=99t making code any better/safer by on= ly ASSERTing.
 
- Bret
 
From: Michael D Kinney via groups.io
Sent: Thursday, May 14, 2020 2:= 07 PM
To:=  devel@edk2.groups.= io; cheptsov@ispras.ru; Kinney, M= ichael D
Cc: Andrew Fish;=  Ard Biesheuvel; Bret Barkele= w; Brian J . Johnson; Chiu, Chasel<= /a>; Justen, Jordan L; Laszlo Ersek= ; Leif Lindholm; = ;liming.gao; Marvin H=C3=A4user; <= /span>Zimmer, Vincent; Gao, Zhichao
Subject: [EXTERNAL] Re: [edk2-devel] [P= ATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks=
 
Hi Vitaly,=
 
<= div style=3D"margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibr= i, sans-serif;" class=3D"">What about this ASSERT() in UnicodeStrnToAsciiSt= rS().  It is an ASSERT() on the data contents.
 
  //
  // Convert string
  //
  while ((*Source !=3D 0) && (SourceLen > 0)) {
    //
    // = If any Unicode characters in Source contain non-zero value in the upper
    // 8= bits, then ASSERT().
    //
    ASSERT (*Source < 0= x100);
 =    *(Destination++) =3D (CHAR8) *(Source++);
    SourceLen--;
    (*Destina= tionLength)++;
 = ; }
  *Destinat= ion =3D 0;
 
Mike
 
From: deve= l@edk2.groups.io <= devel@edk2.groups.io> On Behalf Of Vitaly Cheptsov
Sent: <= /span>Thursday, May 14, 2020 11:59 AM
To: 
Kinney, Michael D <michael.d.kinney@intel.com>= ;
Cc:=  devel@edk2.groups.io; Andrew Fish <afish@apple.com&= gt;; Ard Biesheuvel <ard.= biesheuvel@linaro.org>; Bret Barkelew <bret.barkelew@microsoft.com>; Brian J . Johnson= <brian.johnson@hpe.com>= ; Chiu, Chasel <chasel.chiu@int= el.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Laszlo Ersek <lersek@redhat.com>; Leif Lindholm <leif@nuviainc.com>; Gao, Liming <<= a href=3D"mailto:liming.gao@intel.com" style=3D"color: rgb(149, 79, 114); t= ext-decoration: underline;" class=3D"">liming.gao@intel.com>; Marvin= H=C3=A4user <mhaeuser@outlook.de= >; Zimmer, Vincent <v= incent.zimmer@intel.com>; Gao, Zhichao <zhichao.gao@intel.com>
S= ubject: Re: [edk2-dev= el] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime = checks
<= o:p class=3D""> 
Mike,
 
= The code you posted may inflict undefined behaviour is not valid C for seve= ral reasons. The compiler is free to do whatever it desires. Please refer t= o ISO/IEC 9899 for more details.
 
=
If applications cast raw pointe= rs to typed pointers without checking their alignment, well, god bless them= :)
My opinion is both the compiler and the hardware are welcome to do t= he worst once your third line is discovered. On a number of CPUs such addre= sses cannot be even represented in the first place.
 = ;
Yet, once ag= ain it is out of the scope of the current problem.
 =
Best wishes,<= o:p class=3D"">
Vitaly
 

 

14 =D0=BC=D0=B0=D1=8F 2020 =D0=B3., =D0= =B2 20:58, Kinney, Michael D <michael.d.kinney@intel.com> =D0=BD=D0=B0=D0=BF=D0=B8=D1=81=D0= = =B0=D0=BB(=D0=B0):
 

Vitaly,

Why do you think ther= e is no way to craft an odd address&n= bsp;
without memory corruption.

UINT8   ByteArray[100];
CHAR16  *String=

String =3D (CHAR16 *)(&Array[3]);

The reason I raised the question of these other ASSER= T()s
is that I thought the use case was using these safe stri= ng
APIs from a UEFI App, and the UEFI App always wants to eva= luate
the return status to know if the operation was complete= d or
not.  In build that removes all ASSERT()s, an odd a= ddress
will generate an exception on some CPU archs.  Wo= uldn=E2=80=99t it
be better for the UEFI App that is already = designed to handle
error return status to get an error code i= nstead of an 
exception?

Mike

-----Origi= nal Message-----
From:&= nbsp;devel@edk2.groups.io <devel@edk2.groups.io> On
Behalf O= f Vitaly Cheptsov
Sent: Thursday, May 14, 2020 10:39 AM
To: Kinney, Michael D <michael.d.kinney@intel.com>
Cc: = devel@edk2.groups.io; Andrew Fish
<afish@apple.com>; Ard Biesheuvel
<<= a href=3D"mailto:ard.biesheuvel@linaro.org" style=3D"color: rgb(149, 79, 11= 4); text-decoration: underline;" class=3D"">ard.biesheuvel@linaro.org&g= t;; Bret Barkelew
<bret.barkelew@microsoft.com>; Brian J . Johnson
<brian.johnson@hpe.com>= ;; Chiu, Chasel
<= chasel.chiu@intel.com>; Justen, Jordan L
<jordan.l.justen@intel.com>; L= aszlo Ersek
<lersek@r= edhat.com>; Leif Lindholm <l= eif@nuviainc.com>;
Gao, Liming <liming.gao@intel.com>; Marvin H=C3=A4user
<mhaeuser@outlook.de= >; Zimmer, Vincent
<vincent.zimmer@intel.com>; Gao, Zhichao
<<= a href=3D"mailto:zhichao.gao@intel.com" style=3D"color: rgb(149, 79, 114); = text-decoration: underline;" class=3D"">zhichao.gao@intel.com>
Subject: Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
SafeString performing assertions on runtime checks

Mike,

Firstly, NULL check and odd-addre= ss checks are
essentially different things:
=E2= = =80=94 NULL address is basically =C2=ABno object=C2=BB, =C2=ABoptional
argument=C2=BB (e.g. failed allocation).
=E2=80=94= Odd address is memory corruption, as there is no way
to craf= t such address anyhow else.
For this reason the implementatio= n is allowed to treat
them differently.

Secondly, as I said in my cover letter there is no
be= haviour change here for RELEASE builds. Behaviour
changes unr= elated to the bugfix will have to go to a
separate patch. I a= gree that we may want to reconsider
the interface in the futu= re, but that=E2=80=99s for a separate
bugzilla and patch. Not= discussing it currently is
important to avoid diverting from= the primary problem.
Could create a bugzilla not to forget a= bout it soon
after the stable tag.

Best wishes,
Vitaly

14 =D0=BC=D0=B0=D1=8F 20= 20 =D0=B3., =D0=B2 19:38, Kinney, Michael D

<michael.d.kinney@intel.com> =D0=BD=D0=B0= =D0=BF=D0=B8=D1=81=D0=B0=D0=BB(=D0=B0):


Why preserve the ASSERT()s for an a= Unicode strings
that are not aligned in a 16-bit boundary?
This is essentially the same as an invalid poin= ter

value

just like NULL.  If NULL pointer returns an error

code,

shouldn't and inval= id pointer value?

Thanks,

Mike

-----Original Message-----
From:<= span class=3D"Apple-converted-space"> 
devel@edk2.groups.io <devel@edk2.group= s.io> On
Behalf Of Vitaly Cheptsov
Sent:= Thursday, May 14, 2020 2:26 AM
To: devel@edk2= .groups.io
Cc: Andrew Fish <afish@apple.com>; Ard Biesheuvel
<ard.biesheuvel@linaro.org>; B= ret Barkelew
<bret.barkelew@microsoft.com>; Brian J . Johnson
<= ;brian.johnson@hpe.com>; Ch= iu, Chasel
<chas= el.chiu@intel.com>; Justen, Jordan L
<jordan.l.justen@intel.com>; Laszlo E= rsek
<lersek@redhat.c= om>; Leif Lindholm

<leif@nuviainc.com>;

Gao, Liming <l= iming.gao@intel.com>; Marvin H=C3=A4user
<mhaeuser@outlook.de>; Kinney, Micha= el D
<mich= ael.d.kinney@intel.com>; Zimmer, Vincent
<vincent.zimmer@intel.com>; Gao= , Zhichao
<zhic= hao.gao@intel.com>
Subject: [edk2-devel] [PATCH V6 1/1= ] MdePkg: Fix
SafeString performing assertions on runtime che= cks

REF:
https://bugzilla.tianocore.org/show_bug.cg= i?id=3D2054



=

Runtime checks returned via status return cod= e

should

not work as


assertio= ns to permit parsing not trusted data with
SafeString


interfaces.





CC: Andrew F= ish <afish@apple.com>


CC: Ard Biesheuvel <ard.biesheuvel@linaro.org>


CC: Bret Barkelew <bret.barkelew@microsoft.com>


CC: Brian J. Johnson <brian.johnson@hpe.com>


CC: Chasel Chiu <chasel.chiu@intel.com>


CC: Jordan Justen <j= ordan.l.justen@intel.com>


CC: Laszlo Ersek <lersek@redhat.c= om>


CC: Leif Lindholm &l= t;leif@nuviainc.com>


CC: Liming Gao <liming.gao@intel.com>


CC: Marvin H=C3=A4user <mhaeuser@outlook.de>


CC: Mike Kinney <michael.d.kinney@intel.com>


CC: Vincent Zimmer <v= incent.zimmer@intel.com>


CC: Zhichao Gao <zhichao.gao@i= ntel.com>


Signed-off-by:= Vitaly Cheptsov

<vit9696@protonmail.com>



---


MdePkg/Include/Library/BaseLib.h    | = 120 ++--------
=

--

--------


MdePk= g/Library/BaseLib/SafeString.c |  80 ----------<= /span>

--=

-


2 files changed, 7 insertions(+), 193 deletions(-= )





diff --git a/MdePkg/Include/Library/BaseLib.h
b/MdePkg/Include/Library/BaseLib.h


index ecadff8b23..62dc3151bc 100644

--- a/MdePkg/Include/Library/BaseLib.h


+++ b/MdePkg/Include/Library/BaseLib.h
=

@@ -189,7 +189,6 @@ StrnSizeS (





 If Destination is not aligned on a 16-bit

bounda= ry,

then ASSERT().

 If Source is not aligned on= a 16-bit boundary,

then

ASSERT().


-  If an error would be returned, then the function
w= ill also ASSERT().





 If an error is returned, then the De= stination is
unmodified.





@@ -225,7 +224,6 @@ St= rCpyS (





 If Length > 0 and Destination is not aligned= on a
16-bit boundary, then ASSERT().


 If Length > 0 and Source is not aligned on a= 16-

bit

boundary, then ASSERT().


-  If an error would be returned, then the function
will also ASSERT().





 If an error is returned, then th= e Destination is
unmodified.




@@ -263,7 +261,6 @= @ StrnCpyS (




 If Destination is not aligned on a 16-bit<= o:p class=3D"">

boundary,

then ASSERT().


 = ;If Source is not aligned on a 16-bit boundary,

then

ASSERT().


-  If an error would be returned, then= the function
will also ASSERT().





 If an e= rror is returned, then the Destination is
unmodified.





@@ -303,7 +300,6 @@ StrCatS (





 If Destination is= not aligned on a 16-bit

boundary,

then ASSERT().


 If Source is not aligned on a 16-bit boundary,

then

= ASSERT().


-  If an error w= ould be returned, then the function
will also ASSERT().





 If an error is returned, then the Destination is
unmodified.



<= br class=3D"">
@@ -350,12 +346,7 @@ StrnCatS (
=

 be ignored. Then, the function stops at= the first
character that is a not a


 valid decimal character or a Null-terminator,whichever one comes first.





-  If String is = NULL, then ASSERT().


-  If= Data is NULL, then ASSERT().


&= nbsp;If String is not aligned in a 16-bit boundary,

the= n

ASSERT().


-  If PcdMaximumUnicodeStringLeng= th is not zero, and
String contains more than
<= br class=3D"">
-  PcdMaximumUnicodeStringLength Unicode = characters,
not including the

-  Null-terminator, then ASSERT().





 If= String has no valid decimal digits in the above
format, then= 0 is stored


 at the locat= ion pointed to by Data.


@@ -406= ,12 +397,7 @@ StrDecimalToUintnS (


 be ignored. Then, the function stops at the first
character that is a not a


&nb= sp;valid decimal character or a Null-terminator,
whichever on= e comes first.



<= br class=3D"">
-  If String is NULL, then ASSERT().


-  If Data is NULL, then ASSER= T().


 If String is not ali= gned in a 16-bit boundary,
<= /blockquote>

then

ASSERT().

-  If PcdMaximumUnicodeStringLength is not zero, and
String contains more than


-  PcdMaximumUnicodeStringLength Unicode characters,
not including the


- &nbs= p;Null-terminator, then ASSERT().





 If String has no vali= d decimal digits in the above
format, then 0 is stored


 at the location pointed to by D= ata.


@@ -467,12 +453,7 @@ StrDe= cimalToUint64S (


 the firs= t character that is a not a valid
hexadecimal character or NU= LL,


 whichever one comes f= irst.





-  If String is NULL, then ASSERT().


-  If Data is NULL, then ASSERT().

 If String is not aligned in= a 16-bit boundary,

then

ASSERT().


-  If PcdMaximumUnicodeStringLength is not zero, and
= String contains more than


- &nb= sp;PcdMaximumUnicodeStringLength Unicode characters,
not incl= uding the


-  Null-terminat= or, then ASSERT().





 If String has no valid hexadecimal d= igits in the
above format, then 0 is


 stored at the location pointed to by Data.


@@ -528,12 +509,7 @@ StrHexToUintnS= (


 the first character th= at is a not a valid
hexadecimal character or NULL,


 whichever one comes first.





-  If String is NULL, then ASSERT().


-  If Data is NULL, then ASSERT().


 If String is not aligned in a 16-bit b= oundary,

then

ASSERT().


-  = If PcdMaximumUnicodeStringLength is not zero, and
String cont= ains more than


-  PcdMaxim= umUnicodeStringLength Unicode characters,
not including the

-  Null-terminator, then AS= SERT().





 If String has no valid hexadecimal digits in th= e
above format, then 0 is


 stored at the location pointed to by Data.

@@ -622,8 +598,6 @@ AsciiStrnSizeS (





 This function is similar as strcpy_s defined in

C11.






-  If an = error would be returned, then the function
will also ASSERT()= .


-


 If an error is returned, then the Destination is
unmodified.





 @param  Destination  &= nbsp;           A po= inter to a
Null-terminated Ascii string.


@@ -656,8 +630,6 @@ AsciiStrCpyS (




&n= bsp;This function is similar as strncpy_s defined in
C11.





-  If an error would be returned, then the function
will also ASSERT().


-

 If an error is returned, th= en the Destination is
unmodified.





 @param =  Destination          &nb= sp;   A pointer to a
Null-terminated Ascii str= ing.


@@ -692,8 +664,6 @@ AsciiS= trnCpyS (





 This function is similar as strcat_s defined = in

C11.






-  If an error would be returned, then the function
will also ASSERT().


-


 If an error is returned, then t= he Destination is
unmodified.




 @param &nbs= p;Destination           &= nbsp;  A pointer to a
Null-terminated Ascii string.=


@@ -730,8 +700,6 @@ AsciiStrCa= tS (





 This function is similar as strncat_s defined i= n
C11.





-  If an error would be returned,= then the function
will also ASSERT().


-


 I= f an error is returned, then the Destination is
unmodified.



 @param  Destination      &= nbsp;       A pointer to a
Null-terminated Ascii string.


= @@ -777,12 +745,6 @@ AsciiStrnCatS (


 be ignored. Then, the function stops at the first
character that is a not a


&nb= sp;valid decimal character or a Null-terminator,
whichever on= e comes first.



<= br class=3D"">
-  If String is NULL, then ASSERT().


-  If Data is NULL, then ASSER= T().


-  If PcdMaximumAscii= StringLength is not zero, and
String contains more than


-  PcdMaximumAsciiStringLength = Ascii characters, not
including the


-  Null-terminator, then ASSERT().


-


 If String has no valid decimal digits in the above
fo= rmat, then 0 is stored


 at= the location pointed to by Data.


 If the number represented by String exceeds the
rang= e defined by UINTN, then


@@ -83= 2,12 +794,6 @@ AsciiStrDecimalToUintnS (


 be ignored. Then, the function stops at the first
character that is a not a


 valid decimal character or a Null-terminator,
whichev= er one comes first.





-  If String is NULL, then ASSERT= ().


-  If Data is NULL, th= en ASSERT().


-  If PcdMaxi= mumAsciiStringLength is not zero, and
String contains more th= an


-  PcdMaximumAsciiStrin= gLength Ascii characters, not
including the

-  Null-terminator, then ASSERT().


-


 If String has no valid decimal digits in the above
format, then 0 is stored


 at the location pointed to by Data.

 If the number represented by String exceeds the
range defined by UINT64, then


@@ -891,12 +847,6 @@ AsciiStrDecimalToUint64S (


 character that is a not a valid hexadecimalcharacter or Null-terminator,

 whichever on comes first.




-  If String= is NULL, then ASSERT().


- &nbs= p;If Data is NULL, then ASSERT().


-  If PcdMaximumAsciiStringLength is not zero, and
St= ring contains more than


-  = ;PcdMaximumAsciiStringLength Ascii characters, not
including = the


-  Null-terminator, th= en ASSERT().


-

 If String has no valid hexadecimal digits= in the
above format, then 0 is

=
 stored at the location pointed to by Data.


 If the number represented by String = exceeds the
range defined by UINTN, then


@@ -950,12 +900,6 @@ AsciiStrHexToUintnS (


 character that is a not a valid = hexadecimal
character or Null-terminator,


 whichever on comes first.





- &n= bsp;If String is NULL, then ASSERT().


-  If Data is NULL, then ASSERT().


-  If PcdMaximumAsciiStringLength is not zero, and
String contains more than


-  PcdMaximumAsciiStringLength Ascii characters, not
including the


-  Nu= ll-terminator, then ASSERT().


-=


 If String has no valid h= exadecimal digits in the
above format, then 0 is


 stored at the location pointed to by = Data.


 If the number repre= sented by String exceeds the
range defined by UINT64, then

@@ -1506,16 +1450,8 @@ StrHexToUi= nt64 (


 "::" can be used t= o compress one or more groups of

X

when X contains only 0.

 The "::" can only appear once in the Strin= g.





-  If String is NULL, then ASSERT().

-


-=  If Address is NULL, then ASSERT().


-


 If String is= not aligned in a 16-bit boundary,

then=

ASSERT().





-  If P= cdMaximumUnicodeStringLength is not zero, and
String contains= more than


-  PcdMaximumUn= icodeStringLength Unicode characters,
not including the


-  Null-terminator, then ASSERT= ().


-


 If EndPointer is not NULL and Address is

translated

from String, a pointer


&= nbsp;to the character that stopped the scan is stored=

a= t

the location pointe= d to


 by EndPointer.


@@ -1567,15 +1503,10 @@ StrToIpv6Add= ress (


 When /P is in the = String, the function stops at

the=

first character that is not


 a valid decimal digit character after = P is
converted.


<= br class=3D"">

-  If String is NULL, then= ASSERT().


-


-  If Address is NULL, then ASSERT().


-


 If String is not aligned in a 16-bit boundary,

then

ASSERT= ().





 If PcdMaximumUnicodeStringLength is not zero, andString contains more than


 PcdMaximumUnicodeStringLength Unicode characters,
not including the


-  Nu= ll-terminator, then ASSERT().


<= br class=3D"">

 If EndPointer is not NULL= and Address is

translated=

<= blockquote style=3D"margin-top: 5pt; margin-bottom: 5pt;" class=3D"">
from String, a pointer


 to the character that stopped the scan is stored

at

= the location pointed to


@@ -164= 0,8 +1571,6 @@ StrToIpv4Address (


            =      oo        =   Data4[48:55]


 =             &nb= sp;   pp         &nb= sp;Data4[56:63]



=

-  If String is NULL, then ASSERT().


-  If Guid is NULL, then ASSE= RT().


 If String is not al= igned in a 16-bit boundary,
=

then<= /span>

ASSERT().




 @param &nbs= p;String            =        Pointer to a

= Null-

terminated Unic= ode string.


@@ -1676,17 +1605,6= @@ StrToGuid (



=

 If String is not aligned in a 16-bit bo= undary,

then

ASSERT().





-  If String is NULL, then ASSERT= ().


-


-  If Buffer is NULL, then ASSERT().


-


-  If Length is not multiple of 2, then ASSERT().


-


-  If PcdMaximumUnicodeStringLength is not zero and
Le= ngth is greater than


-  Pc= dMaximumUnicodeStringLength, then ASSERT().

-


-  If MaxBu= fferSize is less than (Length / 2), then
ASSERT().


-


 @param  String        = ;           Pointer = to a

Null-

terminated Unicode string.


 @param  Length       &nbs= p;           The num= ber of
Unicode characters to decode.


 @param  Buffer     &nb= sp;            =  Pointer to the
converted bytes array.

@@ -1777,7 +1695,6 @@ UnicodeStrToAsciiStr (


 the upper 8 bits, then ASSER= T().





 If Source is not aligned on a 16-bit boundary,<= o:p class=3D"">

then

ASSERT().


-  If an = error would be returned, then the function
will also ASSERT()= .





 If an error is returned, then the Destination is
unmodified.





@@ -1818,22 +1735,23 @@ UnicodeStrToAs= ciiStrS (


 bits of each Un= icode character. The function
terminates the Ascii string


 Destination by appending a N= ull-terminator
=

character

at the end.





-  The caller is r= esponsible to make sure

Destination

points to a buffer with size


-  equal or greater than ((StrLen (So= urce) + 1) *
sizeof (CHAR8)) in bytes.


+  The caller is responsible to make sure

Destination

points to a buffer with


= +  size not smaller than ((MIN(StrLen(Source),

Len= gth)

+ 1) * sizeof (C= HAR8))


+  in bytes.





 If any Unicode characters in Source contain non-

zero

value = in the upper 8


 bits, then= ASSERT().


 If Source is n= ot aligned on a 16-bit boundary,

then

ASSERT().


-  If an error would be returned, then the function<= br class=3D"">will also ASSERT().





-  If an error is retu= rned, then the Destination is
unmodified.


+  If an error is returned, then Destination = and
DestinationLength are


+  unmodified.




 @param  Source  =            The point= er to a Null-
terminated Unicode string.


 @param  Length     &= nbsp;       The maximum number of
Unicode characters to


&= nbsp;           &nbs= p;            &= nbsp;  convert.


 = ;@param  Destination        The poi= nter to a Null-
terminated Ascii string.


-  @param  DestMax    &nbs= p;       The maximum number of
Destination Ascii


- &nbs= p;            &= nbsp;           &nbs= p;  char, including
terminating null char.


+  @param  DestMax  &nb= sp;         The maximum number= of
Destination Ascii char,


+           &n= bsp;            = ;     including terminating
null cha= r.


 @param  Destinati= onLength  The number of Unicode
characters converted.



 @retval RETURN_SUCCESS      &nbs= p;     String is
converted.


@@ -2388,10 +2306,6 @@ AsciiStrHexToUi= nt64 (


 "::" can be used t= o compress one or more groups of

X

when X contains only 0.

 The "::" can only appear once in the Strin= g.





-  If String is NULL, then ASSERT().

-


-=  If Address is NULL, then ASSERT().


-


 If EndPointe= r is not NULL and Address is

translated=

from String, a pointer


 to the character that stopped the scan= is stored

at

the location pointed to


 by EndPointer.


@@ = -2443,10 +2357,6 @@ AsciiStrToIpv6Address (

 When /P is in the String, the function stops at

the

first= character that is not


 a = valid decimal digit character after P is
converted.





-  If String is NULL, then ASSERT().


-


-  If = Address is NULL, then ASSERT().


-


 If EndPointer is not N= ULL and Address is

translated

from String, a pointer


 to the character that stopped the scan is store= d

at

the location pointed to


=  by EndPointer.


@@ -2508,9= +2418,6 @@ AsciiStrToIpv4Address (


           &n= bsp;     oo       &n= bsp;  Data4[48:55]


&n= bsp;            = ;    pp         = ; Data4[56:63]





-  If String is NULL, then ASSERT= ().


-  If Guid is NULL, th= en ASSERT().


-

 @param  String    &nb= sp;            =   Pointer to a

Null-

terminated ASCII string.


 @param  Guid     &nb= sp;            =    Pointer to the
converted GUID.





@@ -2541,17 +2448,6 @@ AsciiStrToGuid (


 decoding stops after Length of characters and
outputs Buffer containing


&nb= sp;(Length / 2) bytes.





-  If String is NULL, then ASSERT= ().


-


-  If Buffer is NULL, then ASSERT().


-


-  If Length is not multiple of 2, then ASSERT().


-


-  If PcdMaximumAsciiStringLength is not zero and
Leng= th is greater than


-  PcdM= aximumAsciiStringLength, then ASSERT().


-


-  If MaxBuffer= Size is less than (Length / 2), then
ASSERT().
=

-


 @param  String         =           Pointer to a

Null-

terminated ASCII string.


 @param  Length         =           The number of

ASCII

characters to decode.


&n= bsp;@param  Buffer         &nb= sp;         Pointer to the
converted bytes array.


@@ -2632,7 +2528,6 @@ AsciiStrToUnicodeStr (


 equal or greater than ((AsciiStrLen (Source) + 1)

*

s= izeof (CHAR16)) in bytes.





 If Destination is not aligned= on a 16-bit
boundary,

=
then ASSERT().


-  If an error would be returned, then the function
will also ASSERT().





 If an error is returned, then th= e Destination is
unmodified.




@@ -2678,7 +2573,6= @@ AsciiStrToUnicodeStrS (


&nb= sp;((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
(CHAR8)) = in bytes.





 If Destination is not aligned on a 16-bit

boundary,

then ASSERT().


-  I= f an error would be returned, then the function
will also ASS= ERT().





 If an error is returned, then Destination andDestinationLength are


 unmodified.


diff -= -git a/MdePkg/Library/BaseLib/SafeString.c
b/MdePkg/Library/B= aseLib/SafeString.c


index 7dc03= d2caa..1db42abb05 100644


--- a/= MdePkg/Library/BaseLib/SafeString.c


+++ b/MdePkg/Library/BaseLib/SafeString.c


@@ -14,7 +14,6 @@





#define SAFE_STRING_CON= STRAINT_CHECK(Expression,
Status)  \


 do { \


-    ASSERT (Expression); \


   if (!(Expression)) { \


     return Status= ; \


   } \


@@ -197,7 +196,6 @@ StrnSizeS (





 If Destination is not aligned on a 16-bit

<= span style=3D"font-size: 9pt; font-family: Helvetica, sans-serif;" class=3D= "">boundary,

then A= SSERT().


 If Source is not= aligned on a 16-bit boundary,

then

ASSERT().

<= br class=3D"">-  If an error would be returned, then the function
will also ASSERT().


<= br class=3D"">

 If an error is returned, = then the Destination is
unmodified.





@@ -279,= 7 +277,6 @@ StrCpyS (





 If Length > 0 and Destination= is not aligned on a
16-bit boundary, then ASSERT().


 If Length > 0 and Source is n= ot aligned on a 16-

bit

boundary, then ASSERT().


-  If an error would be returned, then the functionwill also ASSERT().





 If an error is returne= d, then the Destination is
unmodified.





@@ -372,= 7 +369,6 @@ StrnCpyS (





 If Destination is not aligned on= a 16-bit

boundary,

then ASSERT().


 If Source is not aligned on a 16-bit boundary,

then

ASSERT().


-  If an error would be returne= d, then the function
will also ASSERT().





 = If an error is returned, then the Destination is
unmodified.<= br class=3D"">



<= br class=3D"">@@ -473,7 +469,6 @@ StrCatS (




 If Destinat= ion is not aligned on a 16-bit

boundary,

then ASSERT().


 If Source is not aligned on a 16-bit boundary= ,

then

ASSERT().


-  If an = error would be returned, then the function
will also ASSERT()= .





 If an error is returned, then the Destination is
unmodified.





@@ -590,12 +585,7 @@ StrnCatS (


 be ignored. Then, the function = stops at the first
character that is a not a

 valid decimal character or a Null-termina= tor,
whichever one comes first.

=



-  If Stri= ng is NULL, then ASSERT().


- &n= bsp;If Data is NULL, then ASSERT().


 If String is not aligned in a 16-bit boundary,=

then

ASSERT= ().


-  If PcdMaximumUnicod= eStringLength is not zero, and
String contains more than


-  PcdMaximumUnicodeStringLeng= th Unicode characters,
not including the


-  Null-terminator, then ASSERT().





 If String has no valid decimal digits in the above
f= ormat, then 0 is stored


 a= t the location pointed to by Data.


@@ -705,12 +695,7 @@ StrDecimalToUintnS (


 be ignored. Then, the function stops at the firstcharacter that is a not a


 valid decimal character or a Null-terminator,
w= hichever one comes first.





-  If String is NULL, then ASS= ERT().


-  If Data is NULL,= then ASSERT().


 If String= is not aligned in a 16-bit boundary,

then

ASSERT().


-  If PcdMaximumUnicodeStringLength is not zero,= and
String contains more than

<= br class=3D"">-  PcdMaximumUnicodeStringLength Unicode characters,
not including the


- =  Null-terminator, then ASSERT().





 If String has no = valid decimal digits in the above
format, then 0 is stored

 at the location pointed to = by Data.


@@ -825,12 +810,7 @@ S= trDecimalToUint64S (


 the = first character that is a not a valid
hexadecimal character o= r NULL,


 whichever one com= es first.





-  If String is NULL, then ASSERT().


-  If Data is NULL, then ASSERT()= .


 If String is not aligne= d in a 16-bit boundary,

then

ASSERT().


-  If PcdMaximumUnicodeStringLength is not zero, and
String contains more than


-  PcdMaximumUnicodeStringLength Unicode characters,
n= ot including the


-  Null-t= erminator, then ASSERT().





 If String has no valid hexade= cimal digits in the
above format, then 0 is

 stored at the location pointed to by Data.=


@@ -956,12 +936,7 @@ StrHexToU= intnS (


 the first charact= er that is a not a valid
hexadecimal character or NULL,


 whichever one comes first.





-  If String is NULL, then ASSERT().


-  If Data is NULL, then ASSERT().


 If String is not aligned in a 16-bit b= oundary,

then

ASSERT().


-  = If PcdMaximumUnicodeStringLength is not zero, and
String cont= ains more than


-  PcdMaxim= umUnicodeStringLength Unicode characters,
not including the

-  Null-terminator, then AS= SERT().





 If String has no valid hexadecimal digits in th= e
above format, then 0 is


 stored at the location pointed to by Data.

@@ -1856,8 +1831,6 @@ AsciiStrCpyS (





 This function is similar as strncpy_s defined in
C11= .





-  If an error would be returned, then the functionwill also ASSERT().


-


 If an error is returne= d, then the Destination is
unmodified.





 @p= aram  Destination         &nbs= p;    A pointer to a
Null-terminated Asci= i string.


@@ -1944,8 +1917,6 @@= AsciiStrnCpyS (





 This function is similar as strcat_s d= efined in

C11.





<= br class=3D"">-  If an error would be returned, then the function
will also ASSERT().


-=


 If an error is returned,= then the Destination is
unmodified.





 @p= aram  Destination         &nbs= p;    A pointer to a
Null-terminated Asci= i string.


@@ -2040,8 +2011,6 @@= AsciiStrCatS (



=

 This function is similar as strncat_s d= efined in
C11.




-  If an error would be ret= urned, then the function
will also ASSERT().

-


&= nbsp;If an error is returned, then the Destination is
unmodif= ied.





 @param  Destination    &nbs= p;         A pointer to a
Null-terminated Ascii string.


@@ -2154,12 +2123,6 @@ AsciiStrnCatS (


 be ignored. Then, the function stops at the firstcharacter that is a not a


 valid decimal character or a Null-terminator,
wh= ichever one comes first.





-  If String is NULL, then ASSE= RT().


-  If Data is NULL, = then ASSERT().


-  If PcdMa= ximumAsciiStringLength is not zero, and
String contains more = than


-  PcdMaximumAsciiStr= ingLength Ascii characters, not
including the
<= br class=3D"">
-  Null-terminator, then ASSERT().


-


 If String has no valid decimal digits in the above
format, then 0 is stored


 at the location pointed to by Data.

 If the number represented by String exceeds the
range defined by UINTN, then


@@ -2266,12 +2229,6 @@ AsciiStrDecimalToUintnS (


 be ignored. Then, the function stops at the = first
character that is a not a

=
 valid decimal character or a Null-terminator,
whichever one comes first.





-  If String is NULL, = then ASSERT().


-  If Data = is NULL, then ASSERT().


-  = ;If PcdMaximumAsciiStringLength is not zero, and
String conta= ins more than


-  PcdMaximu= mAsciiStringLength Ascii characters, not
including the


-  Null-terminator, then ASSERT(= ).


-


 If String has no valid decimal digits in the above<= br class=3D"">format, then 0 is stored


 at the location pointed to by Data.


 If the number represented by String exceeds the=
range defined by UINT64, then

<= br class=3D"">@@ -2382,12 +2339,6 @@ AsciiStrDecimalToUint64S (


 character that is a not a valid hexa= decimal
character or Null-terminator,


 whichever on comes first.





-  = ;If String is NULL, then ASSERT().


-  If Data is NULL, then ASSERT().


-  If PcdMaximumAsciiStringLength is not zero, and
String contains more than


-  PcdMaximumAsciiStringLength Ascii characters, not
including the


-  Nu= ll-terminator, then ASSERT().


-=


 If String has no valid h= exadecimal digits in the
above format, then 0 is


 stored at the location pointed to by = Data.


 If the number repre= sented by String exceeds the
range defined by UINTN, then


@@ -2509,12 +2460,6 @@ AsciiStrHex= ToUintnS (


 character that= is a not a valid hexadecimal
character or Null-terminator,

 whichever on comes first.<= br class=3D"">



<= br class=3D"">-  If String is NULL, then ASSERT().


-  If Data is NULL, then ASSERT().


-  If PcdMaximumAsciiStringLength= is not zero, and
String contains more than

-  PcdMaximumAsciiStringLength Ascii charac= ters, not
including the


-  Null-terminator, then ASSERT().


-


 If Stri= ng has no valid hexadecimal digits in the
above format, then = 0 is


 stored at the locati= on pointed to by Data.


 If= the number represented by String exceeds the
range defined b= y UINT64, then


@@ -2635,7 +2580= ,6 @@ AsciiStrHexToUint64S (


&n= bsp;the upper 8 bits, then ASSERT().





 If Source is not = aligned on a 16-bit boundary,

then

ASSERT().

-  If an error would be returned, then the function
will also ASSERT().




 If an error is returned, t= hen the Destination is
unmodified.





@@ -2735,7 += 2679,6 @@ UnicodeStrToAsciiStrS (


 If any Unicode characters in Source contain non-

<= span style=3D"font-size: 9pt; font-family: Helvetica, sans-serif;" class=3D= "">zero

value in the = upper 8


 bits, then ASSERT= ().


 If Source is not alig= ned on a 16-bit boundary,

then

ASSERT().


-  If an error would be returned, then the function
will also ASSERT().





 If an error is returned, the= n Destination and
DestinationLength are


 unmodified.


@@ -2948,7 +2891,6 @@ AsciiStrToUnicodeStrS (


 ((MIN(AsciiStrLen(Source), Length) + 1) * si= zeof
(CHAR8)) in bytes.





 If Destination is= not aligned on a 16-bit

boundary,

then ASSERT().


-  If an error would be returned, then the function<= br class=3D"">will also ASSERT().





 If an error is return= ed, then Destination and
DestinationLength are
=

 unmodified.


@@ -3072,10 +3014,6 @@ AsciiStrnToUnicodeStrS (


 "::" can be used to compress one= or more groups of

X

when X contains only 0.


 The "::" can only appear once in the String.





-  If String is NULL, then ASSERT().


-


-  If = Address is NULL, then ASSERT().


-


 If EndPointer is not N= ULL and Address is

translated

from String, a pointer


 to the character that stopped the scan is store= d

at

the location pointed to


=  by EndPointer.


@@ -3291,1= 0 +3229,6 @@ AsciiStrToIpv6Address (


 When /P is in the String, the function stops at

the

first = character that is not


 a v= alid decimal digit character after P is
converted.





-  If String is NULL, then ASSERT().


-


-  If = Address is NULL, then ASSERT().


-


 If EndPointer is not N= ULL and Address is

translated

from String, a pointer


 to the character that stopped the scan is store= d

at

the location pointed to


=  by EndPointer.


@@ -3448,9= +3382,6 @@ AsciiStrToIpv4Address (


           &n= bsp;     oo       &n= bsp;  Data4[48:55]


&n= bsp;            = ;    pp         = ; Data4[56:63]





-  If String is NULL, then ASSERT= ().


-  If Guid is NULL, th= en ASSERT().


-

 @param  String    &nb= sp;            =   Pointer to a

Null-

terminated ASCII string.


 @param  Guid     &nb= sp;            =    Pointer to the
converted GUID.





@@ -3550,17 +3481,6 @@ AsciiStrToGuid (


 decoding stops after Length of characters and
outputs Buffer containing


&nb= sp;(Length / 2) bytes.





-  If String is NULL, then ASSERT= ().


-


-  If Buffer is NULL, then ASSERT().


-


-  If Length is not multiple of 2, then ASSERT().


-


-  If PcdMaximumAsciiStringLength is not zero and
Leng= th is greater than


-  PcdM= aximumAsciiStringLength, then ASSERT().


-


-  If MaxBuffer= Size is less than (Length / 2), then
ASSERT().
=

-


 @param  String         =           Pointer to a

Null-

terminated ASCII string.


 @param  Length         =           The number of

ASCII

characters to decode.


=  @param  Buffer         &= nbsp;         Pointer to theconverted bytes array.


--


2.24.2 (Apple Git-127= )





 
 

 
=  

--Apple-Mail=_4D45B15F-C452-47D2-8446-C8A3A75DA056-- --Apple-Mail=_95C42E37-90BB-4329-B64A-20451F44B36F Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEsLABAI5Y5VbvBdmpL8K2O86Eyz4FAl6+YUYACgkQL8K2O86E yz5JkA/+LpVynHsWoXPaxQpdS6a9eqqgSn9vq62fOEvwHIcR5OaAmWLNIL+4mdwh rcYekKkSsbG+e7QhvJ1ZmcYrG1GKdGgJbAS8UKZzuPWzj03aNvz82GK89VhLn673 YUM/fB0nMIJnvcHKxRsdX0YLN/DxpwygM+GFQIBpVgk7yJxniHDO8QFFbIiAQZWs 8tTzuJ/JWAP1f8EMDbXl07GbtTb7kuOK/7+W2l9T40qShvjezaFFsYl6Q+Un+kqh 07tYNchA7GMNspYpCsby7omo2FG+60oWxRKupS8wQq2LVt4RGvcLgG8ya9w3tARg MaV0rNCnd7ypjJuF00MbC/TreitHj5ikEaWpx7TWKJZ0HxvMKfBpxY+/tC6eoz/j VbxaKHJTcHDn/jPm8iG0b3H33KGgV/R8TAlSw8iJr9Y4+/kkHqkgxGuTekyFqVbq NbDNKiMKA+YluZrwXmoRSx5tMQEeTSWnaxUfSVO4665gGllePoHLZ4vgyRQ00SaA 8fbkfOYMF6tbY/ggsltwmEUacF4QnrTOB79Dz44c3Q2+inVabEA3UaSySIkPlAjU ihGgmR+0R/4IBv4jr8CjlDsCa3RYGyNq9sl3A40rXVGweDM+NIlBwiixq50TaI2P G6a1Cv9G3pKoTfSI/bzsWddXc7l6h5uuVmbzYhgE9xhenZ1XdAc= =GJ35 -----END PGP SIGNATURE----- --Apple-Mail=_95C42E37-90BB-4329-B64A-20451F44B36F--