MdeModulePkg/DxePrintLibPrint2Protocol: Fix error in Precision position calculation

Due to a potential hole in the stop condition of loop, the two continuous
access to ArgumentString (index, index+1) inside the loop might cause the
string ending character ('\0') and the byte after it to be read.

Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>

diff --git a/MdeModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c b/MdeModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c
index 56534e56c3a1e06d554561caf99b5d5e8de9ed80..570d06d82e849461572774133aeea794a2c62217 100644 (file)
--- a/MdeModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c
+++ b/MdeModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c
@@ -2050,7 +2050,10 @@ InternalPrintLibSPrintMarker (
       // Compute the number of characters in ArgumentString and store it in Count\r
       // ArgumentString is either null-terminated, or it contains Precision characters\r
       //\r
       // Compute the number of characters in ArgumentString and store it in Count\r
       // ArgumentString is either null-terminated, or it contains Precision characters\r
       //\r

-      for (Count = 0; Count < Precision || ((Flags & PRECISION) == 0); Count++) {\r
+      for (Count = 0;\r
+            ArgumentString[Count * BytesPerArgumentCharacter] != '\0' &&\r
+            Count < Precision || ((Flags & PRECISION) == 0);\r
+            Count++) {\r

         ArgumentCharacter = ((ArgumentString[Count * BytesPerArgumentCharacter] & 0xff) | ((ArgumentString[Count * BytesPerArgumentCharacter + 1]) << 8)) & ArgumentMask;\r
         if (ArgumentCharacter == 0) {\r
           break;\r
         ArgumentCharacter = ((ArgumentString[Count * BytesPerArgumentCharacter] & 0xff) | ((ArgumentString[Count * BytesPerArgumentCharacter + 1]) << 8)) & ArgumentMask;\r
         if (ArgumentCharacter == 0) {\r
           break;\r


@@ -2107,7 +2110,7 @@ InternalPrintLibSPrintMarker (
     //\r
     // Copy the string into the output buffer performing the required type conversions\r
     //\r
     //\r
     // Copy the string into the output buffer performing the required type conversions\r
     //\r

-    while (Index < Count) {\r
+    while (Index < Count && (*ArgumentString) != '\0') {\r

       ArgumentCharacter = ((*ArgumentString & 0xff) | (((UINT8)*(ArgumentString + 1)) << 8)) & ArgumentMask;\r
 \r
       LengthToReturn += (1 * BytesPerOutputCharacter);\r
       ArgumentCharacter = ((*ArgumentString & 0xff) | (((UINT8)*(ArgumentString + 1)) << 8)) & ArgumentMask;\r
 \r
       LengthToReturn += (1 * BytesPerOutputCharacter);\r