/** @file\r
Implementation of the shared functions to do the platform driver vverride mapping.\r
\r
- Copyright (c) 2007 - 2009, Intel Corporation. All rights reserved.<BR>\r
+ Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved.<BR>\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
which accompanies this distribution. The full text of the license may be found at\r
//\r
VariableNum = 1;\r
Corrupted = FALSE;\r
+ NotEnd = 0;\r
do {\r
VariableIndex = VariableBuffer;\r
- //\r
- // End flag\r
- //\r
- NotEnd = *(UINT32*) VariableIndex;\r
+ if (VariableIndex + sizeof (UINT32) > (UINT8 *) VariableBuffer + BufferSize) {\r
+ Corrupted = TRUE;\r
+ } else {\r
+ //\r
+ // End flag\r
+ //\r
+ NotEnd = *(UINT32*) VariableIndex;\r
+ }\r
//\r
// Traverse the entries containing the mapping that Controller Device Path\r
// to a set of Driver Device Paths within this variable.\r
//\r
// Check signature of this entry\r
//\r
+ if (VariableIndex + sizeof (UINT32) > (UINT8 *) VariableBuffer + BufferSize) {\r
+ Corrupted = TRUE;\r
+ break;\r
+ }\r
Signature = *(UINT32 *) VariableIndex;\r
if (Signature != PLATFORM_OVERRIDE_ITEM_SIGNATURE) {\r
Corrupted = TRUE;\r
//\r
// Get DriverNum\r
//\r
+ if (VariableIndex + sizeof (UINT32) >= (UINT8 *) VariableBuffer + BufferSize) {\r
+ Corrupted = TRUE;\r
+ break;\r
+ }\r
DriverNumber = *(UINT32*) VariableIndex;\r
OverrideItem->DriverInfoNum = DriverNumber;\r
VariableIndex = VariableIndex + sizeof (UINT32);\r
// Align the VariableIndex since the controller device path may not be aligned, refer to the SaveOverridesMapping()\r
//\r
VariableIndex += ((sizeof(UINT32) - ((UINTN) (VariableIndex))) & (sizeof(UINT32) - 1));\r
+ //\r
+ // Check buffer overflow.\r
+ //\r
+ if ((OverrideItem->ControllerDevicePath == NULL) || (VariableIndex < (UINT8 *) ControllerDevicePath) || \r
+ (VariableIndex > (UINT8 *) VariableBuffer + BufferSize)) {\r
+ Corrupted = TRUE;\r
+ break;\r
+ }\r
\r
//\r
// Get all DriverImageDevicePath[]\r
VariableIndex += ((sizeof(UINT32) - ((UINTN) (VariableIndex))) & (sizeof(UINT32) - 1));\r
\r
InsertTailList (&OverrideItem->DriverInfoList, &DriverImageInfo->Link);\r
+\r
+ //\r
+ // Check buffer overflow\r
+ //\r
+ if ((DriverImageInfo->DriverImagePath == NULL) || (VariableIndex < (UINT8 *) DriverDevicePath) || \r
+ (VariableIndex < (UINT8 *) VariableBuffer + BufferSize)) {\r
+ Corrupted = TRUE;\r
+ break;\r
+ }\r
}\r
InsertTailList (MappingDataBase, &OverrideItem->Link);\r
+ if (Corrupted) {\r
+ break;\r
+ }\r
}\r
\r
FreePool (VariableBuffer);\r
//\r
// Check NotEnd to get all PlatDriOverX variable(s)\r
//\r
- while ((*(UINT32*)VariableBuffer) != 0) {\r
+ while ((VariableBuffer != NULL) && ((*(UINT32*)VariableBuffer) != 0)) {\r
+ FreePool (VariableBuffer);\r
UnicodeSPrint (OverrideVariableName, sizeof (OverrideVariableName), L"PlatDriOver%d", VariableNum);\r
VariableBuffer = GetVariableAndSize (OverrideVariableName, &gEfiCallerIdGuid, &BufferSize);\r
VariableNum++;\r
- ASSERT (VariableBuffer != NULL);\r
}\r
\r
//\r
VariableNeededSize,\r
VariableBuffer\r
);\r
- ASSERT (!EFI_ERROR(Status));\r
+ FreePool (VariableBuffer);\r
+\r
+ if (EFI_ERROR (Status)) {\r
+ if (NumIndex > 0) {\r
+ //\r
+ // Delete all PlatDriOver variables when full mapping can't be set. \r
+ //\r
+ DeleteOverridesVariables ();\r
+ }\r
+ return Status;\r
+ }\r
\r
NumIndex ++;\r
- FreePool (VariableBuffer);\r
}\r
\r
return EFI_SUCCESS;\r
projects / mirror_edk2.git / blobdiff