MdeModulePkg/UdfDxe: Add boundary check for getting volume (free) size

[mirror_edk2.git] / MdeModulePkg / Universal / Disk / UdfDxe / FileSystemOperations.c

diff --git a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
index 359fac0adf6088f9a86605648a44b0a770138c02..24fef4e9f309730b83c9fafe3232ca3d50a26c49 100644 (file)
--- a/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
+++ b/MdeModulePkg/Universal/Disk/UdfDxe/FileSystemOperations.c
@@ -2533,6 +2533,13 @@ SetFileInfo (
 /**\r
   Get volume and free space size information of an UDF volume.\r
 \r
+  @attention This is boundary function that may receive untrusted input.\r
+  @attention The input is from FileSystem.\r
+\r
+  The Logical Volume Descriptor and the Logical Volume Integrity Descriptor are\r
+  external inputs, so this routine will do basic validation for both descriptors\r
+  and report status.\r
+\r
   @param[in]   BlockIo        BlockIo interface.\r
   @param[in]   DiskIo         DiskIo interface.\r
   @param[in]   Volume         UDF volume information structure.\r
@@ -2571,7 +2578,8 @@ GetVolumeSize (
 \r
   ExtentAd = &LogicalVolDesc->IntegritySequenceExtent;\r
 \r
-  if (ExtentAd->ExtentLength == 0) {\r
+  if ((ExtentAd->ExtentLength == 0) ||\r
+      (ExtentAd->ExtentLength < sizeof (UDF_LOGICAL_VOLUME_INTEGRITY))) {\r
     return EFI_VOLUME_CORRUPTED;\r
   }\r
 \r
@@ -2611,6 +2619,13 @@ GetVolumeSize (
     goto Out_Free;\r
   }\r
 \r
+  if ((LogicalVolInt->NumberOfPartitions > MAX_UINT32 / sizeof (UINT32) / 2) ||\r
+      (LogicalVolInt->NumberOfPartitions * sizeof (UINT32) * 2 >\r
+       ExtentAd->ExtentLength - sizeof (UDF_LOGICAL_VOLUME_INTEGRITY))) {\r
+    Status = EFI_VOLUME_CORRUPTED;\r
+    goto Out_Free;\r
+  }\r
+\r
   *VolumeSize = 0;\r
   *FreeSpaceSize = 0;\r
 \r