summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
68099b5)
Fix CVE-2017-5731,CVE-2017-5732,CVE-2017-5733,CVE-2017-5734,CVE-2017-5735
https://bugzilla.tianocore.org/show_bug.cgi?id=686
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Holtsclaw Brent <brent.holtsclaw@intel.com>
Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
UINT16 Mask;\r
UINT16 WordOfStart;\r
UINT16 WordOfCount;\r
UINT16 Mask;\r
UINT16 WordOfStart;\r
UINT16 WordOfCount;\r
+ UINT16 MaxTableLength;\r
\r
//\r
// The maximum mapping table width supported by this internal\r
\r
//\r
// The maximum mapping table width supported by this internal\r
}\r
\r
for (Index = 0; Index < NumOfChar; Index++) {\r
}\r
\r
for (Index = 0; Index < NumOfChar; Index++) {\r
+ if (BitLen[Index] > 16) {\r
+ return (UINT16) BAD_TABLE;\r
+ }\r
Count[BitLen[Index]]++;\r
}\r
\r
Count[BitLen[Index]]++;\r
}\r
\r
\r
Avail = NumOfChar;\r
Mask = (UINT16) (1U << (15 - TableBits));\r
\r
Avail = NumOfChar;\r
Mask = (UINT16) (1U << (15 - TableBits));\r
+ MaxTableLength = (UINT16) (1U << TableBits);\r
\r
for (Char = 0; Char < NumOfChar; Char++) {\r
\r
\r
for (Char = 0; Char < NumOfChar; Char++) {\r
\r
if (Len <= TableBits) {\r
\r
for (Index = Start[Len]; Index < NextCode; Index++) {\r
if (Len <= TableBits) {\r
\r
for (Index = Start[Len]; Index < NextCode; Index++) {\r
+ if (Index >= MaxTableLength) {\r
+ return (UINT16) BAD_TABLE;\r
+ }\r
Table[Index] = Char;\r
}\r
\r
Table[Index] = Char;\r
}\r
\r
// Write BytesRemain of bytes into mDstBase\r
//\r
BytesRemain--;\r
// Write BytesRemain of bytes into mDstBase\r
//\r
BytesRemain--;\r
while ((INT16) (BytesRemain) >= 0) {\r
while ((INT16) (BytesRemain) >= 0) {\r
- Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];\r
if (Sd->mOutBuf >= Sd->mOrigSize) {\r
goto Done;\r
}\r
if (Sd->mOutBuf >= Sd->mOrigSize) {\r
goto Done;\r
}\r
+ if (DataIdx >= Sd->mOrigSize) {\r
+ Sd->mBadTableFlag = (UINT16) BAD_TABLE;\r
+ goto Done;\r
+ }\r
+ Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];\r
}\r
\r
CompressedSize = ReadUnaligned32 ((UINT32 *)Source);\r
}\r
\r
CompressedSize = ReadUnaligned32 ((UINT32 *)Source);\r
- if (SourceSize < (CompressedSize + 8)) {\r
+ if (SourceSize < (CompressedSize + 8) || (CompressedSize + 8) < 8) {\r
return RETURN_INVALID_PARAMETER;\r
}\r
\r
return RETURN_INVALID_PARAMETER;\r
}\r
\r