/*++\r
\r
-Copyright (c) 2004, Intel Corporation \r
-All rights reserved. This program and the accompanying materials \r
+Copyright (c) 2004 - 2010, Intel Corporation. All rights reserved.<BR>\r
+This program and the accompanying materials \r
are licensed and made available under the terms and conditions of the BSD License \r
which accompanies this distribution. The full text of the license may be found at \r
http://opensource.org/licenses/bsd-license.php \r
#define MAXMATCH 256\r
#define THRESHOLD 3\r
#define CODE_BIT 16\r
+#ifndef UINT8_MAX\r
#define UINT8_MAX 0xff\r
+#endif\r
#define BAD_TABLE - 1\r
\r
//\r
UINT16 NextCode;\r
UINT16 Mask;\r
\r
- for (Index = 1; Index <= 16; Index++) {\r
+ //\r
+ // TableBits should not be greater than 16.\r
+ //\r
+ if (TableBits >= (sizeof (Count)/sizeof (UINT16))) {\r
+ return (UINT16) BAD_TABLE;\r
+ }\r
+ \r
+ //\r
+ // Initialize Count array starting from Index 0, as there is a possibility of Count array being uninitialized.\r
+ //\r
+ for (Index = 0; Index <= 16; Index++) {\r
Count[Index] = 0;\r
}\r
\r
for (Index = 0; Index < NumOfChar; Index++) {\r
- Count[BitLen[Index]]++;\r
+ //\r
+ // Count array index should not be greater than or equal to its size.\r
+ //\r
+ if (BitLen[Index] < (sizeof (Count)/sizeof (UINT16))) {\r
+ Count[BitLen[Index]]++;\r
+ } else {\r
+ return (UINT16) BAD_TABLE;\r
+ }\r
}\r
\r
+ Start[0] = 0;\r
Start[1] = 0;\r
\r
for (Index = 1; Index <= 16; Index++) {\r
for (Char = 0; Char < NumOfChar; Char++) {\r
\r
Len = BitLen[Char];\r
- if (Len == 0) {\r
+ if (Len == 0 || Len >= 17) {\r
continue;\r
}\r
\r
Index = (UINT16) (Len - TableBits);\r
\r
while (Index != 0) {\r
- if (*Pointer == 0) {\r
+ //\r
+ // Avail should be lesser than size of mRight and mLeft to prevent buffer overflow.\r
+ //\r
+ if ((*Pointer == 0) && (Avail < sizeof (Sd->mRight)/sizeof (UINT16)) && (Avail < sizeof (Sd->mLeft)/sizeof (UINT16))) {\r
Sd->mRight[Avail] = Sd->mLeft[Avail] = 0;\r
*Pointer = Avail++;\r
}\r
\r
- if (Index3 & Mask) {\r
+ //\r
+ // *Pointer should be lesser than size of mRight and mLeft to prevent buffer overflow.\r
+ //\r
+ if ((Index3 & Mask) && (*Pointer < (sizeof (Sd->mRight)/sizeof (UINT16)))) {\r
Pointer = &Sd->mRight[*Pointer];\r
- } else {\r
+ } else if (*Pointer < (sizeof (Sd->mLeft)/sizeof (UINT16))) {\r
Pointer = &Sd->mLeft[*Pointer];\r
}\r
\r
\r
Number = (UINT16) GetBits (Sd, nbit);\r
\r
+ if ((Number > sizeof (Sd->mPTLen)) || (nn > sizeof (Sd->mPTLen))) {\r
+ //\r
+ // Fail if Number or nn is greater than size of mPTLen\r
+ //\r
+ return (UINT16) BAD_TABLE;\r
+ }\r
+\r
if (Number == 0) {\r
CharC = (UINT16) GetBits (Sd, nbit);\r
\r
if (Index == Special) {\r
CharC = (UINT16) GetBits (Sd, 2);\r
while ((INT16) (--CharC) >= 0) {\r
+ if (Index >= sizeof (Sd->mPTLen)) {\r
+ //\r
+ // Fail if Index is greater than or equal to mPTLen\r
+ //\r
+ return (UINT16) BAD_TABLE;\r
+ }\r
Sd->mPTLen[Index++] = 0;\r
}\r
}\r
\r
Returns:\r
\r
- EFI_SUCCESS - The size of destination buffer and the size of scratch buffer are successull retrieved.\r
+ EFI_SUCCESS - The size of destination buffer and the size of scratch buffer are successfully retrieved.\r
EFI_INVALID_PARAMETER - The source data is corrupted\r
\r
--*/\r
\r
Returns:\r
\r
- EFI_SUCCESS - The size of destination buffer and the size of scratch buffer are successull retrieved.\r
+ EFI_SUCCESS - The size of destination buffer and the size of scratch buffer are successfully retrieved.\r
EFI_INVALID_PARAMETER - The source data is corrupted\r
\r
--*/\r
\r
Returns:\r
\r
- EFI_SUCCESS - The size of destination buffer and the size of scratch buffer are successull retrieved.\r
+ EFI_SUCCESS - The size of destination buffer and the size of scratch buffer are successfully retrieved.\r
EFI_INVALID_PARAMETER - The source data is corrupted\r
\r
--*/\r