MdePkg/SafeString: Fix potential out-of-bound memory access
authorRuiyu Ni <ruiyu.ni@intel.com>
Fri, 2 Feb 2018 10:47:18 +0000 (18:47 +0800)
committerRuiyu Ni <ruiyu.ni@intel.com>
Tue, 6 Feb 2018 09:31:08 +0000 (17:31 +0800)
commit56658c22a674062e46f5bfd2d4da71a88bf3c0e5
tree9bf11a637bb849b218d480d1e96a037900939e35
parent7162fdb037fb9385f6bd7d0dc55d54029b810de2
MdePkg/SafeString: Fix potential out-of-bound memory access

Today's implementation of [Ascii]StrnCpyS/[Ascii]StrnCatS calls
StrnLenS () to get the length of source string but supplies the
destination buffer size as max size.
It's a bug that may cause out-of-bound memory access.
For example:
  StrnCpyS (Dest[10], 10, "hello", 6)
  -> StrnLenS ("hello", 10) //< cause out-of bound memory access

In a pool guard enabled environment, when using shell to edit an
existing file which contains empty line, the page fault is met.

The patch fixes the four library functions to avoid such
out-of-bound memory access.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
MdePkg/Library/BaseLib/SafeString.c