]> git.proxmox.com Git - mirror_edk2.git/commitdiff
projects / mirror_edk2.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: 458cd56)
IntelFrameworkPkg/UefiLib: Avoid mis-calculate of graphic console size
authorHao Wu <hao.a.wu@intel.com>
Thu, 23 Mar 2017 02:45:44 +0000 (10:45 +0800)
committerHao Wu <hao.a.wu@intel.com>
Fri, 14 Apr 2017 05:16:12 +0000 (13:16 +0800)
The commit adds check in function InternalPrintGraphic() to ensure that
the expression:

Blt->Width * Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)

will not overflow in the UINTN range.

The commit also adds an explicit UINT32 type cast for 'Blt->Width' to
avoid possible overflow in the int range for:

Blt->Width * Blt->Height

Since both Blt->Width and Blt->Height are of type UINT16. They will be
promoted to int (signed) first, and then perform the multiplication
operation. If the result of multiplication between Blt->Width and
Blt->Height exceeds the range of type int, a potential incorrect size will
be passed into function AllocateZeroPool().

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c patch | blob | blame | history

diff --git a/IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c b/IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c
index f0dcf9fb25f4fe5165f58c1998c8f4ea64766d8d..6f06efbe057b25f6f9abe1c7c421300511428a54 100644 (file)
--- a/IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c
+++ b/IntelFrameworkPkg/Library/FrameworkUefiLib/UefiLibPrint.c
@@ -2,7 +2,7 @@
   Mde UEFI library API implementation.\r
   Print to StdErr or ConOut defined in EFI_SYSTEM_TABLE\r
 \r
-  Copyright (c) 2007 - 2015, Intel Corporation. All rights reserved.<BR>\r
+  Copyright (c) 2007 - 2017, Intel Corporation. All rights reserved.<BR>\r
   This program and the accompanying materials\r
   are licensed and made available under the terms and conditions of the BSD License\r
   which accompanies this distribution.  The full text of the license may be found at\r
@@ -474,7 +474,14 @@ InternalPrintGraphic (
   } else if (FeaturePcdGet (PcdUgaConsumeSupport)) {\r
     ASSERT (UgaDraw!= NULL);\r
 \r
-    Blt->Image.Bitmap = AllocateZeroPool (Blt->Width * Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));\r
+    //\r
+    // Ensure Width * Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow.\r
+    //\r
+    if (Blt->Width > DivU64x32 (MAX_UINTN, Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL))) {\r
+      goto Error;\r
+    }\r
+\r
+    Blt->Image.Bitmap = AllocateZeroPool ((UINT32) Blt->Width * Blt->Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));\r
     ASSERT (Blt->Image.Bitmap != NULL);\r
 \r
     //\r
EFI Development Kit II mirror for PVE