From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 4D0A221E2BE41 for ; Mon, 28 Aug 2017 22:31:00 -0700 (PDT) Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga105.fm.intel.com with ESMTP; 28 Aug 2017 22:33:40 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.41,443,1498546800"; d="scan'208";a="895046370" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by FMSMGA003.fm.intel.com with ESMTP; 28 Aug 2017 22:33:40 -0700 Received: from fmsmsx158.amr.corp.intel.com (10.18.116.75) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 28 Aug 2017 22:33:39 -0700 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by fmsmsx158.amr.corp.intel.com (10.18.116.75) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 28 Aug 2017 22:33:39 -0700 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.39]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.168]) with mapi id 14.03.0319.002; Tue, 29 Aug 2017 13:33:37 +0800 From: "Dong, Eric" To: "Bi, Dandan" , "edk2-devel@lists.01.org" CC: "Gao, Liming" Thread-Topic: [patch] MdeModulePkg/UefiHiiLib: Fix incorrect check for string length Thread-Index: AQHTH6seTAQ5QxYrT0+Bbf79VSjBOqKa0Pzg Date: Tue, 29 Aug 2017 05:33:36 +0000 Message-ID: References: <1503889775-332544-1-git-send-email-dandan.bi@intel.com> In-Reply-To: <1503889775-332544-1-git-send-email-dandan.bi@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [patch] MdeModulePkg/UefiHiiLib: Fix incorrect check for string length X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Aug 2017 05:31:00 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Dandan, Please add more comments why " / 4" is correct here. + // e.g Config String: "0041004200430044", Unicode String: "ABC= D". Unicode String length =3D Config String length / 4. // - if (StrSize (StringPtr) > Width) { + if (StrLen (StringPtr) / 4 > IfrString->MaxSize) { Thanks, Eric -----Original Message----- From: Bi, Dandan=20 Sent: Monday, August 28, 2017 11:10 AM To: edk2-devel@lists.01.org Cc: Dong, Eric ; Gao, Liming Subject: [patch] MdeModulePkg/UefiHiiLib: Fix incorrect check for string le= ngth REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D681 For string opcode,when checking the valid string length, it should exclude = the Null-terminated character. And for string in NameValue storage, need to exclude the varname and the ne= ed to convert the Config string length to Unicode string length. Cc: Eric Dong Cc: Liming Gao Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Dandan Bi --- MdeModulePkg/Library/UefiHiiLib/HiiLib.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/MdeModulePkg/Library/UefiHiiLib/HiiLib.c b/MdeModulePkg/Librar= y/UefiHiiLib/HiiLib.c index cd0cd35..d89e5f3 100644 --- a/MdeModulePkg/Library/UefiHiiLib/HiiLib.c +++ b/MdeModulePkg/Library/UefiHiiLib/HiiLib.c @@ -1605,11 +1605,11 @@ ValidateQuestionFromVfr ( IfrString =3D (EFI_IFR_STRING *) IfrOpHdr; if (IfrString->Question.VarStoreId !=3D VarStoreData.VarStoreId)= { break; } // - // Get Width by OneOf Flags + // Get the Max size of the string. // Width =3D (UINT16) (IfrString->MaxSize * sizeof (UINT16)); if (NameValueType) { QuestionName =3D HiiGetString (HiiHandle, IfrString->Question.= VarStoreInfo.VarName, NULL); ASSERT (QuestionName !=3D NULL); @@ -1619,20 +1619,25 @@ Valid= ateQuestionFromVfr ( // // This question is not in the current configuration string.= Skip it. // break; } + // + // Skip the VarName. + // + StringPtr +=3D StrLen (QuestionName); =20 // // Skip the "=3D". //=20 StringPtr +=3D 1; =20 // // Check current string length is less than maxsize + // e.g Config String: "0041004200430044", Unicode String: "ABC= D". Unicode String length =3D Config String length / 4. // - if (StrSize (StringPtr) > Width) { + if (StrLen (StringPtr) / 4 > IfrString->MaxSize) { return EFI_INVALID_PARAMETER; } } else { // // Get Offset/Width by Question header and OneOf Flags @@ -165= 8,11 +1663,11 @@ ValidateQuestionFromVfr ( } =20 // // Check current string length is less than maxsize // - if (StrSize ((CHAR16 *) (VarBuffer + Offset)) > Width) { + if (StrLen ((CHAR16 *) (VarBuffer + Offset)) >=20 + IfrString->MaxSize) { return EFI_INVALID_PARAMETER; } } break; case EFI_IFR_ONE_OF_OPTION_OP: -- 1.9.5.msysgit.1