buffer overflow, integer overflow.\r
\r
SupportCapsuleImage(), ProcessCapsuleImage(), IsValidCapsuleHeader(),\r
- ValidateFmpCapsule(), DisplayCapsuleImage(), ConvertBmpToGopBlt() will\r
- receive untrusted input and do basic validation.\r
+ ValidateFmpCapsule(), and DisplayCapsuleImage() receives untrusted input and\r
+ performs basic validation.\r
\r
- Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>\r
+ Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
which accompanies this distribution. The full text of the license may be found at\r
\r
#include <PiDxe.h>\r
\r
-#include <IndustryStandard/Bmp.h>\r
#include <IndustryStandard/WindowsUxCapsule.h>\r
\r
#include <Guid/FmpCapsule.h>\r
#include <Library/DevicePathLib.h>\r
#include <Library/UefiLib.h>\r
#include <Library/PcdLib.h>\r
+#include <Library/BmpSupportLib.h>\r
\r
#include <Protocol/GraphicsOutput.h>\r
#include <Protocol/EsrtManagement.h>\r
#include <Protocol/FirmwareManagement.h>\r
#include <Protocol/DevicePath.h>\r
\r
+EFI_SYSTEM_RESOURCE_TABLE *mEsrtTable = NULL;\r
+BOOLEAN mIsVirtualAddrConverted = FALSE;\r
+\r
BOOLEAN mDxeCapsuleLibEndOfDxe = FALSE;\r
EFI_EVENT mDxeCapsuleLibEndOfDxeEvent = NULL;\r
\r
return EFI_SUCCESS;\r
}\r
\r
-/**\r
- Convert a *.BMP graphics image to a GOP blt buffer. If a NULL Blt buffer\r
- is passed in a GopBlt buffer will be allocated by this routine. If a GopBlt\r
- buffer is passed in it will be used if it is big enough.\r
-\r
- Caution: This function may receive untrusted input.\r
-\r
- @param[in] BmpImage Pointer to BMP file\r
- @param[in] BmpImageSize Number of bytes in BmpImage\r
- @param[in, out] GopBlt Buffer containing GOP version of BmpImage.\r
- @param[in, out] GopBltSize Size of GopBlt in bytes.\r
- @param[out] PixelHeight Height of GopBlt/BmpImage in pixels\r
- @param[out] PixelWidth Width of GopBlt/BmpImage in pixels\r
-\r
- @retval EFI_SUCCESS GopBlt and GopBltSize are returned.\r
- @retval EFI_UNSUPPORTED BmpImage is not a valid *.BMP image\r
- @retval EFI_BUFFER_TOO_SMALL The passed in GopBlt buffer is not big enough.\r
- GopBltSize will contain the required size.\r
- @retval EFI_OUT_OF_RESOURCES No enough buffer to allocate.\r
-\r
-**/\r
-STATIC\r
-EFI_STATUS\r
-ConvertBmpToGopBlt (\r
- IN VOID *BmpImage,\r
- IN UINTN BmpImageSize,\r
- IN OUT VOID **GopBlt,\r
- IN OUT UINTN *GopBltSize,\r
- OUT UINTN *PixelHeight,\r
- OUT UINTN *PixelWidth\r
- )\r
-{\r
- UINT8 *Image;\r
- UINT8 *ImageHeader;\r
- BMP_IMAGE_HEADER *BmpHeader;\r
- BMP_COLOR_MAP *BmpColorMap;\r
- EFI_GRAPHICS_OUTPUT_BLT_PIXEL *BltBuffer;\r
- EFI_GRAPHICS_OUTPUT_BLT_PIXEL *Blt;\r
- UINT64 BltBufferSize;\r
- UINTN Index;\r
- UINTN Height;\r
- UINTN Width;\r
- UINTN ImageIndex;\r
- UINT32 DataSizePerLine;\r
- BOOLEAN IsAllocated;\r
- UINT32 ColorMapNum;\r
-\r
- if (sizeof (BMP_IMAGE_HEADER) > BmpImageSize) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- BmpHeader = (BMP_IMAGE_HEADER *) BmpImage;\r
-\r
- if (BmpHeader->CharB != 'B' || BmpHeader->CharM != 'M') {\r
- return EFI_UNSUPPORTED;\r
- }\r
-\r
- //\r
- // Doesn't support compress.\r
- //\r
- if (BmpHeader->CompressionType != 0) {\r
- return EFI_UNSUPPORTED;\r
- }\r
-\r
- //\r
- // Only support BITMAPINFOHEADER format.\r
- // BITMAPFILEHEADER + BITMAPINFOHEADER = BMP_IMAGE_HEADER\r
- //\r
- if (BmpHeader->HeaderSize != sizeof (BMP_IMAGE_HEADER) - OFFSET_OF(BMP_IMAGE_HEADER, HeaderSize)) {\r
- return EFI_UNSUPPORTED;\r
- }\r
-\r
- //\r
- // The data size in each line must be 4 byte alignment.\r
- //\r
- DataSizePerLine = ((BmpHeader->PixelWidth * BmpHeader->BitPerPixel + 31) >> 3) & (~0x3);\r
- BltBufferSize = MultU64x32 (DataSizePerLine, BmpHeader->PixelHeight);\r
- if (BltBufferSize > (UINT32) ~0) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- if ((BmpHeader->Size != BmpImageSize) ||\r
- (BmpHeader->Size < BmpHeader->ImageOffset) ||\r
- (BmpHeader->Size - BmpHeader->ImageOffset != BmpHeader->PixelHeight * DataSizePerLine)) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- //\r
- // Calculate Color Map offset in the image.\r
- //\r
- Image = BmpImage;\r
- BmpColorMap = (BMP_COLOR_MAP *) (Image + sizeof (BMP_IMAGE_HEADER));\r
- if (BmpHeader->ImageOffset < sizeof (BMP_IMAGE_HEADER)) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- if (BmpHeader->ImageOffset > sizeof (BMP_IMAGE_HEADER)) {\r
- switch (BmpHeader->BitPerPixel) {\r
- case 1:\r
- ColorMapNum = 2;\r
- break;\r
- case 4:\r
- ColorMapNum = 16;\r
- break;\r
- case 8:\r
- ColorMapNum = 256;\r
- break;\r
- default:\r
- ColorMapNum = 0;\r
- break;\r
- }\r
- //\r
- // BMP file may has padding data between the bmp header section and the bmp data section.\r
- //\r
- if (BmpHeader->ImageOffset - sizeof (BMP_IMAGE_HEADER) < sizeof (BMP_COLOR_MAP) * ColorMapNum) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- }\r
-\r
- //\r
- // Calculate graphics image data address in the image\r
- //\r
- Image = ((UINT8 *) BmpImage) + BmpHeader->ImageOffset;\r
- ImageHeader = Image;\r
-\r
- //\r
- // Calculate the BltBuffer needed size.\r
- //\r
- BltBufferSize = MultU64x32 ((UINT64) BmpHeader->PixelWidth, BmpHeader->PixelHeight);\r
- //\r
- // Ensure the BltBufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow\r
- //\r
- if (BltBufferSize > DivU64x32 ((UINTN) ~0, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL))) {\r
- return EFI_UNSUPPORTED;\r
- }\r
- BltBufferSize = MultU64x32 (BltBufferSize, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));\r
-\r
- IsAllocated = FALSE;\r
- if (*GopBlt == NULL) {\r
- //\r
- // GopBlt is not allocated by caller.\r
- //\r
- *GopBltSize = (UINTN) BltBufferSize;\r
- *GopBlt = AllocatePool (*GopBltSize);\r
- IsAllocated = TRUE;\r
- if (*GopBlt == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
- } else {\r
- //\r
- // GopBlt has been allocated by caller.\r
- //\r
- if (*GopBltSize < (UINTN) BltBufferSize) {\r
- *GopBltSize = (UINTN) BltBufferSize;\r
- return EFI_BUFFER_TOO_SMALL;\r
- }\r
- }\r
-\r
- *PixelWidth = BmpHeader->PixelWidth;\r
- *PixelHeight = BmpHeader->PixelHeight;\r
-\r
- //\r
- // Convert image from BMP to Blt buffer format\r
- //\r
- BltBuffer = *GopBlt;\r
- for (Height = 0; Height < BmpHeader->PixelHeight; Height++) {\r
- Blt = &BltBuffer[(BmpHeader->PixelHeight - Height - 1) * BmpHeader->PixelWidth];\r
- for (Width = 0; Width < BmpHeader->PixelWidth; Width++, Image++, Blt++) {\r
- switch (BmpHeader->BitPerPixel) {\r
- case 1:\r
- //\r
- // Convert 1-bit (2 colors) BMP to 24-bit color\r
- //\r
- for (Index = 0; Index < 8 && Width < BmpHeader->PixelWidth; Index++) {\r
- Blt->Red = BmpColorMap[((*Image) >> (7 - Index)) & 0x1].Red;\r
- Blt->Green = BmpColorMap[((*Image) >> (7 - Index)) & 0x1].Green;\r
- Blt->Blue = BmpColorMap[((*Image) >> (7 - Index)) & 0x1].Blue;\r
- Blt++;\r
- Width++;\r
- }\r
-\r
- Blt--;\r
- Width--;\r
- break;\r
-\r
- case 4:\r
- //\r
- // Convert 4-bit (16 colors) BMP Palette to 24-bit color\r
- //\r
- Index = (*Image) >> 4;\r
- Blt->Red = BmpColorMap[Index].Red;\r
- Blt->Green = BmpColorMap[Index].Green;\r
- Blt->Blue = BmpColorMap[Index].Blue;\r
- if (Width < (BmpHeader->PixelWidth - 1)) {\r
- Blt++;\r
- Width++;\r
- Index = (*Image) & 0x0f;\r
- Blt->Red = BmpColorMap[Index].Red;\r
- Blt->Green = BmpColorMap[Index].Green;\r
- Blt->Blue = BmpColorMap[Index].Blue;\r
- }\r
- break;\r
-\r
- case 8:\r
- //\r
- // Convert 8-bit (256 colors) BMP Palette to 24-bit color\r
- //\r
- Blt->Red = BmpColorMap[*Image].Red;\r
- Blt->Green = BmpColorMap[*Image].Green;\r
- Blt->Blue = BmpColorMap[*Image].Blue;\r
- break;\r
-\r
- case 24:\r
- //\r
- // It is 24-bit BMP.\r
- //\r
- Blt->Blue = *Image++;\r
- Blt->Green = *Image++;\r
- Blt->Red = *Image;\r
- break;\r
-\r
- case 32:\r
- //\r
- // it is 32-bit BMP. Skip pixel's highest byte\r
- //\r
- Blt->Blue = *Image++;\r
- Blt->Green = *Image++;\r
- Blt->Red = *Image++;\r
- break;\r
-\r
- default:\r
- //\r
- // Other bit format BMP is not supported.\r
- //\r
- if (IsAllocated) {\r
- FreePool (*GopBlt);\r
- *GopBlt = NULL;\r
- }\r
- return EFI_UNSUPPORTED;\r
- };\r
-\r
- }\r
-\r
- ImageIndex = (UINTN) Image - (UINTN) ImageHeader;\r
- if ((ImageIndex % 4) != 0) {\r
- //\r
- // Bmp Image starts each row on a 32-bit boundary!\r
- //\r
- Image = Image + (4 - (ImageIndex % 4));\r
- }\r
- }\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-\r
/**\r
Those capsules supported by the firmwares.\r
\r
UINTN Width;\r
EFI_GRAPHICS_OUTPUT_PROTOCOL *GraphicsOutput;\r
\r
- ImagePayload = (DISPLAY_DISPLAY_PAYLOAD *)(CapsuleHeader + 1);\r
- PayloadSize = CapsuleHeader->CapsuleImageSize - sizeof(EFI_CAPSULE_HEADER);\r
+ //\r
+ // UX capsule doesn't have extended header entries.\r
+ //\r
+ if (CapsuleHeader->HeaderSize != sizeof (EFI_CAPSULE_HEADER)) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+ ImagePayload = (DISPLAY_DISPLAY_PAYLOAD *)((UINTN) CapsuleHeader + CapsuleHeader->HeaderSize);\r
+ //\r
+ // (CapsuleImageSize > HeaderSize) is guaranteed by IsValidCapsuleHeader().\r
+ //\r
+ PayloadSize = CapsuleHeader->CapsuleImageSize - CapsuleHeader->HeaderSize;\r
+\r
+ //\r
+ // Make sure the image payload at least contain the DISPLAY_DISPLAY_PAYLOAD header.\r
+ // Further size check is performed by the logic translating BMP to GOP BLT.\r
+ //\r
+ if (PayloadSize <= sizeof (DISPLAY_DISPLAY_PAYLOAD)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
\r
if (ImagePayload->Version != 1) {\r
return EFI_UNSUPPORTED;\r
Blt = NULL;\r
Width = 0;\r
Height = 0;\r
- Status = ConvertBmpToGopBlt (\r
+ Status = TranslateBmpToGopBlt (\r
ImagePayload + 1,\r
PayloadSize - sizeof(DISPLAY_DISPLAY_PAYLOAD),\r
- (VOID **)&Blt,\r
+ &Blt,\r
&BltSize,\r
&Height,\r
&Width\r
)\r
{\r
EFI_STATUS Status;\r
- EFI_SYSTEM_RESOURCE_TABLE *Esrt;\r
EFI_SYSTEM_RESOURCE_ENTRY *EsrtEntry;\r
UINTN Index;\r
BOOLEAN EsrtGuidFound;\r
UINTN NestedCapsuleSize;\r
ESRT_MANAGEMENT_PROTOCOL *EsrtProtocol;\r
EFI_SYSTEM_RESOURCE_ENTRY Entry;\r
+ EFI_HANDLE *HandleBuffer;\r
+ UINTN NumberOfHandles;\r
\r
EsrtGuidFound = FALSE;\r
if (mIsVirtualAddrConverted) {\r
}\r
\r
//\r
- // Check ESRT configuration table\r
+ // Check Firmware Management Protocols\r
//\r
if (!EsrtGuidFound) {\r
- Status = EfiGetSystemConfigurationTable(&gEfiSystemResourceTableGuid, (VOID **)&Esrt);\r
+ HandleBuffer = NULL;\r
+ Status = GetFmpHandleBufferByType (\r
+ &CapsuleHeader->CapsuleGuid,\r
+ 0,\r
+ &NumberOfHandles,\r
+ &HandleBuffer\r
+ );\r
if (!EFI_ERROR(Status)) {\r
- ASSERT (Esrt != NULL);\r
- EsrtEntry = (VOID *)(Esrt + 1);\r
- for (Index = 0; Index < Esrt->FwResourceCount; Index++, EsrtEntry++) {\r
- if (CompareGuid(&EsrtEntry->FwClass, &CapsuleHeader->CapsuleGuid)) {\r
- EsrtGuidFound = TRUE;\r
- break;\r
- }\r
- }\r
+ EsrtGuidFound = TRUE;\r
+ }\r
+ if (HandleBuffer != NULL) {\r
+ FreePool (HandleBuffer);\r
}\r
}\r
}\r
projects / mirror_edk2.git / blobdiff