REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1255
For function ReadFile():
If the line
Status = GetAedAdsData (
...
);
is reached multiple times during the 'for' loop, freeing the data pointed
by variable 'Data' may potentially lead to variable 'Ad' referencing the
already-freed data.
After calling function GetAllocationDescriptor(), 'Data' and 'Ad' may
point to the same memory (with some possible offset). Hence, this commit
will move the FreePool() call backwards to ensure the data will no longer
be used.
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Acked-by: Star Zeng <star.zeng@intel.com>
EFI_STATUS Status;\r
UINT32 LogicalBlockSize;\r
VOID *Data;\r
+ VOID *DataBak;\r
UINT64 Length;\r
VOID *Ad;\r
UINT64 AdOffset;\r
// Descriptor and its extents (ADs).\r
//\r
if (GET_EXTENT_FLAGS (RecordingFlags, Ad) == ExtentIsNextExtent) {\r
- if (!DoFreeAed) {\r
- DoFreeAed = TRUE;\r
- } else {\r
- FreePool (Data);\r
- }\r
-\r
+ DataBak = Data;\r
Status = GetAedAdsData (\r
BlockIo,\r
DiskIo,\r
&Data,\r
&Length\r
);\r
+\r
+ if (!DoFreeAed) {\r
+ DoFreeAed = TRUE;\r
+ } else {\r
+ FreePool (DataBak);\r
+ }\r
+\r
if (EFI_ERROR (Status)) {\r
goto Error_Get_Aed;\r
}\r
projects / mirror_edk2.git / commitdiff