MdeModulePkg/PiDxeS3BootScriptLib: Fix potential numeric truncation (CVE-2019-14563)

[mirror_edk2.git] / MdeModulePkg / Library / PiDxeS3BootScriptLib / BootScriptSave.c

diff --git a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c
index 9106e7d0f9f5dd864ad428fcedbdefac794ecfb6..9315fc9f0188680b716956e3ced097a7a7bb61b9 100644 (file)
--- a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c
+++ b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c
@@ -1,7 +1,7 @@
 /** @file\r
   Save the S3 data to S3 boot script.\r
 \r
-  Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>\r
+  Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.<BR>\r
 \r
   SPDX-License-Identifier: BSD-2-Clause-Patent\r
 \r
@@ -1006,6 +1006,14 @@ S3BootScriptSaveIoWrite (
   EFI_BOOT_SCRIPT_IO_WRITE  ScriptIoWrite;\r
 \r
   WidthInByte = (UINT8) (0x01 << (Width & 0x03));\r
+\r
+  //\r
+  // Truncation check\r
+  //\r
+  if ((Count > MAX_UINT8) ||\r
+      (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_IO_WRITE))) {\r
+    return RETURN_OUT_OF_RESOURCES;\r
+  }\r
   Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_IO_WRITE) + (WidthInByte * Count));\r
 \r
   Script = S3BootScriptGetEntryAddAddress (Length);\r
@@ -1102,6 +1110,14 @@ S3BootScriptSaveMemWrite (
   EFI_BOOT_SCRIPT_MEM_WRITE  ScriptMemWrite;\r
 \r
   WidthInByte = (UINT8) (0x01 << (Width & 0x03));\r
+\r
+  //\r
+  // Truncation check\r
+  //\r
+  if ((Count > MAX_UINT8) ||\r
+      (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_MEM_WRITE))) {\r
+    return RETURN_OUT_OF_RESOURCES;\r
+  }\r
   Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_MEM_WRITE) + (WidthInByte * Count));\r
 \r
   Script = S3BootScriptGetEntryAddAddress (Length);\r
@@ -1206,6 +1222,14 @@ S3BootScriptSavePciCfgWrite (
   }\r
 \r
   WidthInByte = (UINT8) (0x01 << (Width & 0x03));\r
+\r
+  //\r
+  // Truncation check\r
+  //\r
+  if ((Count > MAX_UINT8) ||\r
+      (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE))) {\r
+    return RETURN_OUT_OF_RESOURCES;\r
+  }\r
   Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE) + (WidthInByte * Count));\r
 \r
   Script = S3BootScriptGetEntryAddAddress (Length);\r
@@ -1324,6 +1348,14 @@ S3BootScriptSavePciCfg2Write (
   }\r
 \r
   WidthInByte = (UINT8) (0x01 << (Width & 0x03));\r
+\r
+  //\r
+  // Truncation check\r
+  //\r
+  if ((Count > MAX_UINT8) ||\r
+      (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE))) {\r
+    return RETURN_OUT_OF_RESOURCES;\r
+  }\r
   Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE) + (WidthInByte * Count));\r
 \r
   Script = S3BootScriptGetEntryAddAddress (Length);\r
@@ -1549,6 +1581,12 @@ S3BootScriptSaveSmbusExecute (
     return Status;\r
   }\r
 \r
+  //\r
+  // Truncation check\r
+  //\r
+  if (BufferLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE)) {\r
+    return RETURN_OUT_OF_RESOURCES;\r
+  }\r
   DataSize = (UINT8)(sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE) + BufferLength);\r
 \r
   Script = S3BootScriptGetEntryAddAddress (DataSize);\r
@@ -1736,6 +1774,12 @@ S3BootScriptSaveInformation (
   UINT8                 *Script;\r
   EFI_BOOT_SCRIPT_INFORMATION  ScriptInformation;\r
 \r
+  //\r
+  // Truncation check\r
+  //\r
+  if (InformationLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_INFORMATION)) {\r
+    return RETURN_OUT_OF_RESOURCES;\r
+  }\r
   Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + InformationLength);\r
 \r
   Script = S3BootScriptGetEntryAddAddress (Length);\r
@@ -2195,6 +2239,12 @@ S3BootScriptLabelInternal (
   UINT8                 *Script;\r
   EFI_BOOT_SCRIPT_INFORMATION  ScriptInformation;\r
 \r
+  //\r
+  // Truncation check\r
+  //\r
+  if (InformationLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_INFORMATION)) {\r
+    return RETURN_OUT_OF_RESOURCES;\r
+  }\r
   Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + InformationLength);\r
 \r
   Script = S3BootScriptGetEntryAddAddress (Length);\r