SecurityPkg/DxeImageVerificationLib: extract SecDataDirEnd, SecDataDirLeft

The following two quantities:

  SecDataDir->VirtualAddress + SecDataDir->Size
  SecDataDir->VirtualAddress + SecDataDir->Size - OffSet

are used multiple times in DxeImageVerificationHandler(). Introduce helper
variables for them: "SecDataDirEnd" and "SecDataDirLeft", respectively.
This saves us multiple calculations and significantly simplifies the code.

Note that all three summands above have type UINT32, therefore the new
variables are also of type UINT32.

This patch does not change behavior.

(Note that the code already handles the case when the

  SecDataDir->VirtualAddress + SecDataDir->Size

UINT32 addition overflows -- namely, in that case, the certificate loop is
never entered, and the corruption check right after the loop fires.)

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Wenyi Xie <xiewenyi2@huawei.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20200901091221.20948-2-lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Wenyi Xie <xiewenyi2@huawei.com>
Reviewed-by: Min M Xu <min.m.xu@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index b08fe24e85aa3615f8aa10d4b1c5501d923baac2..377feebb205a52eca5b627933e3a026beab42621 100644 (file)
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1652,6 +1652,8 @@ DxeImageVerificationHandler (
   UINT8                                *AuthData;\r
   UINTN                                AuthDataSize;\r
   EFI_IMAGE_DATA_DIRECTORY             *SecDataDir;\r
+  UINT32                               SecDataDirEnd;\r
+  UINT32                               SecDataDirLeft;\r
   UINT32                               OffSet;\r
   CHAR16                               *NameStr;\r
   RETURN_STATUS                        PeCoffStatus;\r
@@ -1849,12 +1851,14 @@ DxeImageVerificationHandler (
   // "Attribute Certificate Table".\r
   // The first certificate starts at offset (SecDataDir->VirtualAddress) from the start of the file.\r
   //\r
+  SecDataDirEnd = SecDataDir->VirtualAddress + SecDataDir->Size;\r
   for (OffSet = SecDataDir->VirtualAddress;\r
-       OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size);\r
+       OffSet < SecDataDirEnd;\r
        OffSet += (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength))) {\r
     WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);\r
-    if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <= sizeof (WIN_CERTIFICATE) ||\r
-        (SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) < WinCertificate->dwLength) {\r
+    SecDataDirLeft = SecDataDirEnd - OffSet;\r
+    if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE) ||\r
+        SecDataDirLeft < WinCertificate->dwLength) {\r
       break;\r
     }\r
 \r
@@ -1948,7 +1952,7 @@ DxeImageVerificationHandler (
     }\r
   }\r
 \r
-  if (OffSet != (SecDataDir->VirtualAddress + SecDataDir->Size)) {\r
+  if (OffSet != SecDataDirEnd) {\r
     //\r
     // The Size in Certificate Table or the attribute certificate table is corrupted.\r
     //\r