ShellPkg/hexedit: Fix a read-after-free bug

[mirror_edk2.git] / ShellPkg / Library / UefiShellDebug1CommandsLib / HexEdit / DiskImage.c

diff --git a/ShellPkg/Library/UefiShellDebug1CommandsLib/HexEdit/DiskImage.c b/ShellPkg/Library/UefiShellDebug1CommandsLib/HexEdit/DiskImage.c
index 846b102975a1c0f81ad4e73469992fbe3f9fdd51..8deb643f07ccf1b7a2a232b025cf48407ed60dbd 100644 (file)
--- a/ShellPkg/Library/UefiShellDebug1CommandsLib/HexEdit/DiskImage.c
+++ b/ShellPkg/Library/UefiShellDebug1CommandsLib/HexEdit/DiskImage.c
@@ -1,7 +1,7 @@
 /** @file\r
   Functions to deal with Disk buffer.\r
 \r
-  Copyright (c) 2005 - 2016, Intel Corporation. All rights reserved. <BR>\r
+  Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved. <BR>\r
   This program and the accompanying materials\r
   are licensed and made available under the terms and conditions of the BSD License\r
   which accompanies this distribution.  The full text of the license may be found at\r
@@ -120,27 +120,23 @@ HDiskImageSetDiskNameOffsetSize (
   IN UINTN    Size\r
   )\r
 {\r
-  UINTN Len;\r
-  UINTN Index;\r
+  if (Str == HDiskImage.Name) {\r
+    //\r
+    // This function might be called using HDiskImage.FileName as Str.\r
+    // Directly return without updating HDiskImage.FileName.\r
+    //\r
+    return EFI_SUCCESS;\r
+  }\r
 \r
   //\r
   // free the old file name\r
   //\r
   SHELL_FREE_NON_NULL (HDiskImage.Name);\r
-\r
-  Len             = StrLen (Str);\r
-\r
-  HDiskImage.Name = AllocateZeroPool (2 * (Len + 1));\r
+  HDiskImage.Name = AllocateCopyPool (StrSize (Str), Str);\r
   if (HDiskImage.Name == NULL) {\r
     return EFI_OUT_OF_RESOURCES;\r
   }\r
 \r
-  for (Index = 0; Index < Len; Index++) {\r
-    HDiskImage.Name[Index] = Str[Index];\r
-  }\r
-\r
-  HDiskImage.Name[Len]  = L'\0';\r
-\r
   HDiskImage.Offset     = Offset;\r
   HDiskImage.Size       = Size;\r
 \r