ShellPkg/Shell: Avoid reading content beyond string boundary

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=690

Within function EfiShellGetDevicePathFromFilePath(), when the input
parameter 'Path' string is like:
"FS0:"

It is possible for the below statement:
"if (*(Path+StrLen(MapName)+1) == CHAR_NULL) {"

to read the content 1 byte beyond the string boundary (both 'Path' and
'MapName' will be FS0: in this case).

This commit adds additional checks to avoid this.

Cc: Steven Shi <steven.shi@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Jaben Carsey <jaben.carsey@intel.com>
Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>

diff --git a/ShellPkg/Application/Shell/ShellProtocol.c b/ShellPkg/Application/Shell/ShellProtocol.c
index 40e5e653aeebd0183098a9c4e52d2a87c13c7a3e..5e34b8dad17b87c4529b01dfa996ba2b90b9dc12 100644 (file)
--- a/ShellPkg/Application/Shell/ShellProtocol.c
+++ b/ShellPkg/Application/Shell/ShellProtocol.c
@@ -598,7 +598,8 @@ EfiShellGetDevicePathFromFilePath(
   //\r
   // build the full device path\r
   //\r
-  if (*(Path+StrLen(MapName)+1) == CHAR_NULL) {\r
+  if ((*(Path+StrLen(MapName)) != CHAR_NULL) &&\r
+      (*(Path+StrLen(MapName)+1) == CHAR_NULL)) {\r
     DevicePathForReturn = FileDevicePath(Handle, L"\\");\r
   } else {\r
     DevicePathForReturn = FileDevicePath(Handle, Path+StrLen(MapName));\r