UINTN Width;\r
EFI_GRAPHICS_OUTPUT_PROTOCOL *GraphicsOutput;\r
\r
- ImagePayload = (DISPLAY_DISPLAY_PAYLOAD *)(CapsuleHeader + 1);\r
- PayloadSize = CapsuleHeader->CapsuleImageSize - sizeof(EFI_CAPSULE_HEADER);\r
+ //\r
+ // UX capsule doesn't have extended header entries.\r
+ //\r
+ if (CapsuleHeader->HeaderSize != sizeof (EFI_CAPSULE_HEADER)) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+ ImagePayload = (DISPLAY_DISPLAY_PAYLOAD *)((UINTN) CapsuleHeader + CapsuleHeader->HeaderSize);\r
+ //\r
+ // (CapsuleImageSize > HeaderSize) is guaranteed by IsValidCapsuleHeader().\r
+ //\r
+ PayloadSize = CapsuleHeader->CapsuleImageSize - CapsuleHeader->HeaderSize;\r
+\r
+ //\r
+ // Make sure the image payload at least contain the DISPLAY_DISPLAY_PAYLOAD header.\r
+ // Further size check is performed by the logic translating BMP to GOP BLT.\r
+ //\r
+ if (PayloadSize <= sizeof (DISPLAY_DISPLAY_PAYLOAD)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
\r
if (ImagePayload->Version != 1) {\r
return EFI_UNSUPPORTED;\r