git.proxmox.com Git - mirror_edk2.git/commit - SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c

SecurityPkg/DxeImageVerificationLib: assign WinCertificate after size check

Currently the (SecDataDirLeft <= sizeof (WIN_CERTIFICATE)) check only
guards the de-referencing of the "WinCertificate" pointer. It does not
guard the calculation of the pointer itself:

WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);

This is wrong; if we don't know for sure that we have enough room for a
WIN_CERTIFICATE, then even creating such a pointer, not just
de-referencing it, may invoke undefined behavior.

Move the pointer calculation after the size check.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Wenyi Xie <xiewenyi2@huawei.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20200901091221.20948-3-lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Wenyi Xie <xiewenyi2@huawei.com>
Reviewed-by: Min M Xu <min.m.xu@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>

author	Laszlo Ersek <lersek@redhat.com>
	Tue, 1 Sep 2020 09:12:20 +0000 (11:12 +0200)
committer	mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
	Wed, 2 Sep 2020 10:16:18 +0000 (10:16 +0000)
commit	a7632e913c1c106f436aefd5e76c394249c383a8
tree	57ba757fdd984366452d2ba8306ea4c56a11a29a	tree
parent	503248ccdf45c14d4040ce44163facdc212e4991	commit \| diff