UINTN Height;\r
UINTN Width;\r
UINTN ImageIndex;\r
+ UINT32 DataSizePerLine;\r
BOOLEAN IsAllocated;\r
+ UINT32 ColorMapNum;\r
+\r
+ if (sizeof (BMP_IMAGE_HEADER) > BmpImageSize) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
\r
BmpHeader = (BMP_IMAGE_HEADER *) BmpImage;\r
\r
return EFI_UNSUPPORTED;\r
}\r
\r
+ //\r
+ // Only support BITMAPINFOHEADER format.\r
+ // BITMAPFILEHEADER + BITMAPINFOHEADER = BMP_IMAGE_HEADER\r
+ //\r
+ if (BmpHeader->HeaderSize != sizeof (BMP_IMAGE_HEADER) - OFFSET_OF(BMP_IMAGE_HEADER, HeaderSize)) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+\r
+ //\r
+ // The data size in each line must be 4 byte alignment.\r
+ //\r
+ DataSizePerLine = ((BmpHeader->PixelWidth * BmpHeader->BitPerPixel + 31) >> 3) & (~0x3);\r
+ BltBufferSize = MultU64x32 (DataSizePerLine, BmpHeader->PixelHeight);\r
+ if (BltBufferSize > (UINT32) ~0) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ if ((BmpHeader->Size != BmpImageSize) || \r
+ (BmpHeader->Size < BmpHeader->ImageOffset) ||\r
+ (BmpHeader->Size - BmpHeader->ImageOffset != BmpHeader->PixelHeight * DataSizePerLine)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
//\r
// Calculate Color Map offset in the image.\r
//\r
Image = BmpImage;\r
BmpColorMap = (BMP_COLOR_MAP *) (Image + sizeof (BMP_IMAGE_HEADER));\r
+ if (BmpHeader->ImageOffset < sizeof (BMP_IMAGE_HEADER)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ if (BmpHeader->ImageOffset > sizeof (BMP_IMAGE_HEADER)) {\r
+ switch (BmpHeader->BitPerPixel) {\r
+ case 1:\r
+ ColorMapNum = 2;\r
+ break;\r
+ case 4:\r
+ ColorMapNum = 16;\r
+ break;\r
+ case 8:\r
+ ColorMapNum = 256;\r
+ break;\r
+ default:\r
+ ColorMapNum = 0;\r
+ break;\r
+ }\r
+ if (BmpHeader->ImageOffset - sizeof (BMP_IMAGE_HEADER) != sizeof (BMP_COLOR_MAP) * ColorMapNum) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+ }\r
\r
//\r
// Calculate graphics image data address in the image\r
// Ensure the BltBufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow\r
//\r
if (BltBufferSize > DivU64x32 ((UINTN) ~0, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL))) {\r
- return EFI_UNSUPPORTED;\r
- }\r
+ return EFI_UNSUPPORTED;\r
+ }\r
BltBufferSize = MultU64x32 (BltBufferSize, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));\r
\r
IsAllocated = FALSE;\r
UINTN NewDestY;\r
UINTN NewHeight;\r
UINTN NewWidth;\r
+ UINT64 BufferSize;\r
\r
UgaDraw = NULL;\r
//\r
FreePool (Blt);\r
}\r
\r
- LogoBlt = AllocateZeroPool (LogoWidth * LogoHeight * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));\r
+ //\r
+ // Ensure the LogoHeight * LogoWidth doesn't overflow\r
+ //\r
+ if (LogoHeight > DivU64x64Remainder ((UINTN) ~0, LogoWidth, NULL)) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+ BufferSize = MultU64x64 (LogoWidth, LogoHeight);\r
+\r
+ //\r
+ // Ensure the BufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow\r
+ //\r
+ if (BufferSize > DivU64x32 ((UINTN) ~0, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL))) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+\r
+ LogoBlt = AllocateZeroPool ((UINTN)BufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));\r
if (LogoBlt == NULL) {\r
return EFI_OUT_OF_RESOURCES;\r
}\r
projects / mirror_edk2.git / blobdiff