BaseTools/C/Common: Fix potential null pointer dereference

[mirror_edk2.git] / BaseTools / Source / C / Common / Decompress.c

diff --git a/BaseTools/Source/C/Common/Decompress.c b/BaseTools/Source/C/Common/Decompress.c
index 48578ea2f2d27bc0cca2ac08bcc993ed7844497f..8f1afb4e406e0d7bf4250451218ff9b683f6807f 100644 (file)
--- a/BaseTools/Source/C/Common/Decompress.c
+++ b/BaseTools/Source/C/Common/Decompress.c
@@ -2,7 +2,7 @@
 Decompressor. Algorithm Ported from OPSD code (Decomp.asm) for Efi and Tiano \r
 compress algorithm.\r
 \r
-Copyright (c) 2004 - 2014, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2004 - 2017, Intel Corporation. All rights reserved.<BR>\r
 This program and the accompanying materials\r
 are licensed and made available under the terms and conditions of the BSD License\r
 which accompanies this distribution.  The full text of the license may be found at\r
@@ -15,6 +15,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 \r
 #include <stdlib.h>\r
 #include <string.h>\r
+#include <assert.h>\r
 #include "Decompress.h"\r
 \r
 //\r
@@ -88,11 +89,11 @@ Returns: (VOID)
 \r
 --*/\r
 {\r
-  Sd->mBitBuf = (UINT32) (Sd->mBitBuf << NumOfBits);\r
+  Sd->mBitBuf = (UINT32) (((UINT64)Sd->mBitBuf) << NumOfBits);\r
 \r
   while (NumOfBits > Sd->mBitCount) {\r
 \r
-    Sd->mBitBuf |= (UINT32) (Sd->mSubBitBuf << (NumOfBits = (UINT16) (NumOfBits - Sd->mBitCount)));\r
+    Sd->mBitBuf |= (UINT32) (((UINT64)Sd->mSubBitBuf) << (NumOfBits = (UINT16) (NumOfBits - Sd->mBitCount)));\r
 \r
     if (Sd->mCompSize > 0) {\r
       //\r
@@ -240,7 +241,7 @@ Returns:
   for (Char = 0; Char < NumOfChar; Char++) {\r
 \r
     Len = BitLen[Char];\r
-    if (Len == 0) {\r
+    if (Len == 0 || Len >= 17) {\r
       continue;\r
     }\r
 \r
@@ -373,6 +374,8 @@ Returns:
   UINT16  Index;\r
   UINT32  Mask;\r
 \r
+  assert (nn <= NPT);\r
+\r
   Number = (UINT16) GetBits (Sd, nbit);\r
 \r
   if (Number == 0) {\r
@@ -391,7 +394,7 @@ Returns:
 \r
   Index = 0;\r
 \r
-  while (Index < Number) {\r
+  while (Index < Number && Index < NPT) {\r
 \r
     CharC = (UINT16) (Sd->mBitBuf >> (BITBUFSIZ - 3));\r
 \r
@@ -410,14 +413,14 @@ Returns:
     if (Index == Special) {\r
       CharC = (UINT16) GetBits (Sd, 2);\r
       CharC--;\r
-      while ((INT16) (CharC) >= 0) {\r
+      while ((INT16) (CharC) >= 0 && Index < NPT) {\r
         Sd->mPTLen[Index++] = 0;\r
         CharC--;\r
       }\r
     }\r
   }\r
 \r
-  while (Index < nn) {\r
+  while (Index < nn && Index < NPT) {\r
     Sd->mPTLen[Index++] = 0;\r
   }\r
 \r
@@ -675,7 +678,7 @@ Arguments:
 \r
 Returns:\r
 \r
-  EFI_SUCCESS           - The size of destination buffer and the size of scratch buffer are successull retrieved.\r
+  EFI_SUCCESS           - The size of destination buffer and the size of scratch buffer are successfully retrieved.\r
   EFI_INVALID_PARAMETER - The source data is corrupted\r
 \r
 --*/\r
@@ -810,7 +813,7 @@ Arguments:
 \r
 Returns:\r
 \r
-  EFI_SUCCESS           - The size of destination buffer and the size of scratch buffer are successull retrieved.\r
+  EFI_SUCCESS           - The size of destination buffer and the size of scratch buffer are successfully retrieved.\r
   EFI_INVALID_PARAMETER - The source data is corrupted\r
 \r
 --*/\r
@@ -840,7 +843,7 @@ Arguments:
 \r
 Returns:\r
 \r
-  EFI_SUCCESS           - The size of destination buffer and the size of scratch buffer are successull retrieved.\r
+  EFI_SUCCESS           - The size of destination buffer and the size of scratch buffer are successfully retrieved.\r
   EFI_INVALID_PARAMETER - The source data is corrupted\r
 \r
 --*/\r
@@ -931,7 +934,9 @@ Extract (
   UINT32        ScratchSize;\r
   EFI_STATUS    Status;\r
 \r
-  Status = EFI_SUCCESS;\r
+  Scratch = NULL;\r
+  Status  = EFI_SUCCESS;\r
+\r
   switch (Algorithm) {\r
   case 0:\r
     *Destination = (VOID *)malloc(SrcSize);\r
@@ -945,30 +950,44 @@ Extract (
     Status = EfiGetInfo(Source, SrcSize, DstSize, &ScratchSize);\r
     if (Status == EFI_SUCCESS) {\r
       Scratch = (VOID *)malloc(ScratchSize);\r
+      if (Scratch == NULL) {\r
+        return EFI_OUT_OF_RESOURCES;\r
+      }\r
+\r
       *Destination = (VOID *)malloc(*DstSize);\r
-      if (Scratch != NULL && *Destination != NULL) {\r
-        Status = EfiDecompress(Source, SrcSize, *Destination, *DstSize, Scratch, ScratchSize);\r
-      } else {\r
-        Status = EFI_OUT_OF_RESOURCES;\r
+      if (*Destination == NULL) {\r
+        free (Scratch);\r
+        return EFI_OUT_OF_RESOURCES;\r
       }\r
+\r
+      Status = EfiDecompress(Source, SrcSize, *Destination, *DstSize, Scratch, ScratchSize);\r
     }\r
     break;\r
   case 2:\r
     Status = TianoGetInfo(Source, SrcSize, DstSize, &ScratchSize);\r
     if (Status == EFI_SUCCESS) {\r
       Scratch = (VOID *)malloc(ScratchSize);\r
+      if (Scratch == NULL) {\r
+        return EFI_OUT_OF_RESOURCES;\r
+      }\r
+\r
       *Destination = (VOID *)malloc(*DstSize);\r
-      if (Scratch != NULL && *Destination != NULL) {\r
-        Status = TianoDecompress(Source, SrcSize, *Destination, *DstSize, Scratch, ScratchSize);\r
-      } else {\r
-        Status = EFI_OUT_OF_RESOURCES;\r
+      if (*Destination == NULL) {\r
+        free (Scratch);\r
+        return EFI_OUT_OF_RESOURCES;\r
       }\r
+\r
+      Status = TianoDecompress(Source, SrcSize, *Destination, *DstSize, Scratch, ScratchSize);\r
     }\r
     break;\r
   default:\r
     Status = EFI_INVALID_PARAMETER;\r
   }\r
 \r
+  if (Scratch != NULL) {\r
+    free (Scratch);\r
+  }\r
+\r
   return Status;\r
 }\r
 \r