MdeModulePkg/String.c: Zero memory before free (CVE-2019-14558)

author Dandan Bi <dandan.bi@intel.com>

Fri, 22 Feb 2019 07:45:24 +0000 (15:45 +0800)

committer mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>

Fri, 14 Feb 2020 08:18:47 +0000 (08:18 +0000)
author Dandan Bi <dandan.bi@intel.com>
Fri, 22 Feb 2019 07:45:24 +0000 (15:45 +0800)
committer mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Fri, 14 Feb 2020 08:18:47 +0000 (08:18 +0000)
diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/String.c b/MdeModulePkg/Universal/HiiDatabaseDxe/String.c

index 505e063d49c39dbda15a86ca578b7fd9b16be48d..2c7ecfea407643c539894301f6de2737c58e6e31 100644 (file)
--- a/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
+++ b/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
@@ -2,7 +2,7 @@
  Implementation for EFI_HII_STRING_PROTOCOL.\r
  \r
  \r
-Copyright (c) 2007 - 2018, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2007 - 2020, Intel Corporation. All rights reserved.<BR>\r
  (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>\r
  SPDX-License-Identifier: BSD-2-Clause-Patent\r
  \r
@@ -1006,6 +1006,7 @@ SetStringWorker (
        TmpSize\r
        );\r
  \r
+    ZeroMem (StringPackage->StringBlock, OldBlockSize);\r
      FreePool (StringPackage->StringBlock);\r
      StringPackage->StringBlock = Block;\r
      StringPackage->StringPkgHdr->Header.Length += (UINT32) (BlockSize - OldBlockSize);\r
@@ -1039,6 +1040,7 @@ SetStringWorker (
        OldBlockSize - (StringTextPtr - StringPackage->StringBlock) - StringSize\r
        );\r
  \r
+    ZeroMem (StringPackage->StringBlock, OldBlockSize);\r
      FreePool (StringPackage->StringBlock);\r
      StringPackage->StringBlock = Block;\r
      StringPackage->StringPkgHdr->Header.Length += (UINT32) (BlockSize - OldBlockSize);\r
@@ -1090,6 +1092,7 @@ SetStringWorker (
  \r
    CopyMem (BlockPtr, StringPackage->StringBlock, OldBlockSize);\r
  \r
+  ZeroMem (StringPackage->StringBlock, OldBlockSize);\r
    FreePool (StringPackage->StringBlock);\r
    StringPackage->StringBlock = Block;\r
    StringPackage->StringPkgHdr->Header.Length += Ext2.Length;\r
@@ -1275,6 +1278,7 @@ HiiNewString (
        // Append a EFI_HII_SIBT_END block to the end.\r
        //\r
        *BlockPtr = EFI_HII_SIBT_END;\r
+      ZeroMem (StringPackage->StringBlock, OldBlockSize);\r
        FreePool (StringPackage->StringBlock);\r
        StringPackage->StringBlock = StringBlock;\r
        StringPackage->StringPkgHdr->Header.Length += Ucs2BlockSize;\r
@@ -1406,6 +1410,7 @@ HiiNewString (
      // Append a EFI_HII_SIBT_END block to the end.\r
      //\r
      *BlockPtr = EFI_HII_SIBT_END;\r
+    ZeroMem (StringPackage->StringBlock, OldBlockSize);\r
      FreePool (StringPackage->StringBlock);\r
      StringPackage->StringBlock = StringBlock;\r
      StringPackage->StringPkgHdr->Header.Length += Ucs2BlockSize;\r
@@ -1448,6 +1453,7 @@ HiiNewString (
        // Append a EFI_HII_SIBT_END block to the end.\r
        //\r
        *BlockPtr = EFI_HII_SIBT_END;\r
+      ZeroMem (StringPackage->StringBlock, OldBlockSize);\r
        FreePool (StringPackage->StringBlock);\r
        StringPackage->StringBlock = StringBlock;\r
        StringPackage->StringPkgHdr->Header.Length += Ucs2FontBlockSize;\r
@@ -1509,6 +1515,7 @@ HiiNewString (
        // Append a EFI_HII_SIBT_END block to the end.\r
        //\r
        *BlockPtr = EFI_HII_SIBT_END;\r
+      ZeroMem (StringPackage->StringBlock, OldBlockSize);\r
        FreePool (StringPackage->StringBlock);\r
        StringPackage->StringBlock = StringBlock;\r
        StringPackage->StringPkgHdr->Header.Length += FontBlockSize + Ucs2FontBlockSize;\r
author	Dandan Bi <dandan.bi@intel.com>
	Fri, 22 Feb 2019 07:45:24 +0000 (15:45 +0800)
committer	mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
	Fri, 14 Feb 2020 08:18:47 +0000 (08:18 +0000)