REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2117 avoid path traversal attack check. Cc: Bob Feng Cc: Liming Gao Signed-off-by: Yunhua Feng --- Silicon/Intel/Tools/FitGen/FitGen.c | 47 +++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/Silicon/Intel/Tools/FitGen/FitGen.c b/Silicon/Intel/Tools/FitGen/FitGen.c index 8122c10ebb..42d10d85bc 100644 --- a/Silicon/Intel/Tools/FitGen/FitGen.c +++ b/Silicon/Intel/Tools/FitGen/FitGen.c @@ -401,10 +401,38 @@ SetMem ( *(Pointer++) = Value; } return Buffer; } +BOOLEAN +CheckPath ( + IN CHAR8 * String +) +{ + // + //Return FLASE if input file path include % character or is NULL + // + CHAR8 *StrPtr; + + StrPtr = String; + if (StrPtr == NULL) { + return FALSE; + } + + if (*StrPtr == 0) { + return FALSE; + } + + while (*StrPtr != '\0') { + if (*StrPtr == '%') { + return FALSE; + } + StrPtr++; + } + return TRUE; +} + STATUS ReadInputFile ( IN CHAR8 *FileName, OUT UINT8 **FileData, OUT UINT32 *FileSize, @@ -433,10 +461,19 @@ Returns: { FILE *FpIn; UINT32 TempResult; // + //Check the File Path + // + if (!CheckPath(FileName)) { + + Error (NULL, 0, 0, "File path is invalid!", NULL); + return STATUS_ERROR; + } + + // // Open the Input FvRecovery.fv file // if ((FpIn = fopen (FileName, "rb")) == NULL) { // // Return WARNING, let caller make decision @@ -2759,10 +2796,19 @@ Returns: --*/ { FILE *FpOut; // + //Check the File Path + // + if (!CheckPath(FileName)) { + + Error (NULL, 0, 0, "File path is invalid!", NULL); + return STATUS_ERROR; + } + + // // Open the output FvRecovery.fv file // if ((FpOut = fopen (FileName, "w+b")) == NULL) { Error (NULL, 0, 0, "Unable to open file", "%s", FileName); return STATUS_ERROR; @@ -2980,10 +3026,11 @@ Returns: UINT8 *FdFileBuffer; UINT32 FdFileSize; UINT8 *AcmBuffer; + FileBufferRaw = NULL; // // Step 0: Check FV or FD // if (((strcmp (argv[1], "-D") == 0) || (strcmp (argv[1], "-d") == 0)) ) { -- 2.12.2.windows.2