From: Vin Xue <vinxue@outlook.com>
To: devel@edk2.groups.io
Subject: [PATCH] SignedCapsulePkg: Address NULL pointer dereference case.
Date: Mon, 13 Jul 2020 10:37:43 +0800 [thread overview]
Message-ID: <SL2PR03MB44426E9DF4D5FD4E63F06FF7C5600@SL2PR03MB4442.apcprd03.prod.outlook.com> (raw)
Original code GetFmpImageDescriptors for OriginalFmpImageInfoBuf
pointer, if failed, return a NULL pointer. The OriginalFmpImageInfoBuf
should not be NULL and the NULL pointer dereference case
should be false positive.
Signed-off-by: Vin Xue <vinxue@outlook.com>
---
.../SystemFirmwareUpdateDxe.c | 39 ++++++++++---------
1 file changed, 21 insertions(+), 18 deletions(-)
diff --git a/SignedCapsulePkg/Universal/SystemFirmwareUpdate/SystemFirmwareUpdateDxe.c b/SignedCapsulePkg/Universal/SystemFirmwareUpdate/SystemFirmwareUpdateDxe.c
index bdb70bdb32..ea795cd7db 100644
--- a/SignedCapsulePkg/Universal/SystemFirmwareUpdate/SystemFirmwareUpdateDxe.c
+++ b/SignedCapsulePkg/Universal/SystemFirmwareUpdate/SystemFirmwareUpdateDxe.c
@@ -681,32 +681,35 @@ FindMatchingFmpHandles (
//
// Loop through the set of EFI_FIRMWARE_IMAGE_DESCRIPTORs.
//
- FmpImageInfoBuf = OriginalFmpImageInfoBuf;
MatchFound = FALSE;
- for (Index2 = 0; Index2 < FmpImageInfoCount; Index2++) {
- for (Index3 = 0; Index3 < mSystemFmpPrivate->DescriptorCount; Index3++) {
- MatchFound = CompareGuid (
- &FmpImageInfoBuf->ImageTypeId,
- &mSystemFmpPrivate->ImageDescriptor[Index3].ImageTypeId
- );
+ if (OriginalFmpImageInfoBuf != NULL) {
+ FmpImageInfoBuf = OriginalFmpImageInfoBuf;
+
+ for (Index2 = 0; Index2 < FmpImageInfoCount; Index2++) {
+ for (Index3 = 0; Index3 < mSystemFmpPrivate->DescriptorCount; Index3++) {
+ MatchFound = CompareGuid (
+ &FmpImageInfoBuf->ImageTypeId,
+ &mSystemFmpPrivate->ImageDescriptor[Index3].ImageTypeId
+ );
+ if (MatchFound) {
+ break;
+ }
+ }
if (MatchFound) {
break;
}
+ //
+ // Increment the buffer pointer ahead by the size of the descriptor
+ //
+ FmpImageInfoBuf = (EFI_FIRMWARE_IMAGE_DESCRIPTOR *)(((UINT8 *)FmpImageInfoBuf) + DescriptorSize);
}
if (MatchFound) {
- break;
+ HandleBuffer[*HandleCount] = HandleBuffer[Index];
+ (*HandleCount)++;
}
- //
- // Increment the buffer pointer ahead by the size of the descriptor
- //
- FmpImageInfoBuf = (EFI_FIRMWARE_IMAGE_DESCRIPTOR *)(((UINT8 *)FmpImageInfoBuf) + DescriptorSize);
- }
- if (MatchFound) {
- HandleBuffer[*HandleCount] = HandleBuffer[Index];
- (*HandleCount)++;
- }
- FreePool (OriginalFmpImageInfoBuf);
+ FreePool (OriginalFmpImageInfoBuf);
+ }
}
if ((*HandleCount) == 0) {
--
2.27.0.windows.1
next reply other threads:[~2020-07-13 2:37 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-13 2:37 Vin Xue [this message]
-- strict thread matches above, loose matches on Subject: below --
2020-07-14 2:07 [PATCH] SignedCapsulePkg: Address NULL pointer dereference case Vin Xue
2020-07-14 2:09 Vin Xue
2020-07-16 8:31 ` Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=SL2PR03MB44426E9DF4D5FD4E63F06FF7C5600@SL2PR03MB4442.apcprd03.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox