Fixes buffer read overflow bugs in authenticated variable driver.

Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13298 6f19259b-4bc3-4df7-8a09-765794883524

diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
index 6d41de904b698e8842b1ac99f03603badf022286..784afae93b6a3f29f0d0c2e18fc26884bfd58fff 100644 (file)
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
@@ -1399,6 +1399,9 @@ ProcessVariable (
     // Update public key database variable if need.\r
     //\r
     KeyIndex = AddPubKeyInStore (PubKey);\r
+    if (KeyIndex == 0) {\r
+      return EFI_SECURITY_VIOLATION;\r
+    }\r
   }\r
 \r
   //\r
@@ -2179,7 +2182,7 @@ VerifyTimeBasedPayload (
     CertList = (EFI_SIGNATURE_LIST *) GetVariableDataPtr (PkVariable.CurrPtr);\r
     Cert     = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);\r
     RootCert      = Cert->SignatureData;\r
-    RootCertSize  = CertList->SignatureSize;\r
+    RootCertSize  = CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1);\r
 \r
 \r
     //\r
@@ -2224,7 +2227,7 @@ VerifyTimeBasedPayload (
           // Iterate each Signature Data Node within this CertList for a verify\r
           //\r
           RootCert      = Cert->SignatureData;\r
-          RootCertSize  = CertList->SignatureSize;\r
+          RootCertSize  = CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1);\r
 \r
           //\r
           // Verify Pkcs7 SignedData via Pkcs7Verify library.\r