From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Permerror (SPF Permanent Error: Two or more type TXT spf records found.) identity=mailfrom; client-ip=134.134.136.65; helo=mga03.intel.com; envelope-from=eric.dong@intel.com; receiver=edk2-devel@lists.01.org Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 465E121B02822 for ; Mon, 3 Sep 2018 17:55:00 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 03 Sep 2018 17:54:59 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.53,327,1531810800"; d="scan'208";a="82713566" Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by fmsmga002.fm.intel.com with ESMTP; 03 Sep 2018 17:54:39 -0700 Received: from fmsmsx112.amr.corp.intel.com (10.18.116.6) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 3 Sep 2018 17:54:39 -0700 Received: from shsmsx104.ccr.corp.intel.com (10.239.4.70) by FMSMSX112.amr.corp.intel.com (10.18.116.6) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 3 Sep 2018 17:54:38 -0700 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.226]) by SHSMSX104.ccr.corp.intel.com ([169.254.5.143]) with mapi id 14.03.0319.002; Tue, 4 Sep 2018 08:54:37 +0800 From: "Dong, Eric" To: "Bi, Dandan" , "edk2-devel@lists.01.org" Thread-Topic: [patch] MdeModulePkg/Setup: Fix incorrect size used in AllocateCopyPool Thread-Index: AQHUPnOxV4cf0g83i0am3WZQ/gS2FaTfVqsw Date: Tue, 4 Sep 2018 00:54:36 +0000 Message-ID: References: <20180828020548.28096-1-dandan.bi@intel.com> In-Reply-To: <20180828020548.28096-1-dandan.bi@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNDRjZDc5ZDEtMjRkYS00YzNmLTk2NWYtMjEzMTQzMTFkMGQ0IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoibXJHUHJGUUxEd0NqYkR4OWNNWGU5WUtDbHJXbDlkZXpxYXdoaFV1a2JXUVRpK0x4S1JHUlA0NW1iZ3lHc0F6YyJ9 x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.400.15 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [patch] MdeModulePkg/Setup: Fix incorrect size used in AllocateCopyPool X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2018 00:55:00 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Eric Dong -----Original Message----- From: Bi, Dandan=20 Sent: Tuesday, August 28, 2018 10:06 AM To: edk2-devel@lists.01.org Cc: Dong, Eric Subject: [patch] MdeModulePkg/Setup: Fix incorrect size used in AllocateCop= yPool REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D1115 When the type of HiiValue is EFI_IFR_TYPE_BUFFER, its question type is EFI_= IFR_ORDERED_LIST_OP. And the buffer size allocated for Statement->BufferValue of orderedList is = "Statement->StorageWidth" in IfrParse.c. So here when backup the buffer value and copy the size of "Statement->Stora= geWidth + sizeof(CHAR16)" is incorrect. This patch is to fix this issue. Cc: Eric Dong Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Dandan Bi --- MdeModulePkg/Universal/SetupBrowserDxe/Presentation.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/MdeModulePkg/Universal/SetupBrowserDxe/Presentation.c b/MdeMod= ulePkg/Universal/SetupBrowserDxe/Presentation.c index ded1c7ad11..58daaab404 100644 --- a/MdeModulePkg/Universal/SetupBrowserDxe/Presentation.c +++ b/MdeModulePkg/Universal/SetupBrowserDxe/Presentation.c @@ -2002,11 +2002,11 @@ ProcessCallBackFunction ( // // If EFI_BROWSER_ACTION_CHANGING type, back up the new question value= . // if (Action =3D=3D EFI_BROWSER_ACTION_CHANGING) { if (HiiValue->Type =3D=3D EFI_IFR_TYPE_BUFFER) { - BackUpBuffer =3D AllocateCopyPool(Statement->StorageWidth + sizeof= (CHAR16), Statement->BufferValue); + BackUpBuffer =3D AllocateCopyPool(Statement->StorageWidth,=20 + Statement->BufferValue); ASSERT (BackUpBuffer !=3D NULL); } else { CopyMem (&BackUpValue, &HiiValue->Value, sizeof (EFI_IFR_TYPE_VALU= E)); } } @@ -2128,11 +2128,11 @@ ProcessCallBackFunction ( // then the browser will use the value passed to Callback() and igno= re the // value returned by Callback(). // if (Action =3D=3D EFI_BROWSER_ACTION_CHANGING && Status =3D=3D EFI_= UNSUPPORTED) { if (HiiValue->Type =3D=3D EFI_IFR_TYPE_BUFFER) { - CopyMem (Statement->BufferValue, BackUpBuffer, Statement->Storag= eWidth + sizeof(CHAR16)); + CopyMem (Statement->BufferValue, BackUpBuffer,=20 + Statement->StorageWidth); } else { CopyMem (&HiiValue->Value, &BackUpValue, sizeof (EFI_IFR_TYPE_VA= LUE)); } =20 // -- 2.14.3.windows.1