/*++\r
\r
-Copyright (c) 2004 - 2010, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2004 - 2012, Intel Corporation. All rights reserved.<BR>\r
This program and the accompanying materials \r
are licensed and made available under the terms and conditions of the BSD License \r
which accompanies this distribution. The full text of the license may be found at \r
UINTN Height;\r
UINTN Width;\r
UINTN ImageIndex;\r
+ UINTN DataSizePerLine;\r
BOOLEAN IsAllocated;\r
+ UINT32 ColorMapNum;\r
+\r
+ if (sizeof (BMP_IMAGE_HEADER) > BmpImageSize) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
\r
BmpHeader = (BMP_IMAGE_HEADER *) BmpImage;\r
+\r
if (BmpHeader->CharB != 'B' || BmpHeader->CharM != 'M') {\r
return EFI_UNSUPPORTED;\r
}\r
\r
+ //\r
+ // Doesn't support compress.\r
+ //\r
if (BmpHeader->CompressionType != 0) {\r
return EFI_UNSUPPORTED;\r
}\r
\r
+ //\r
+ // Only support BITMAPINFOHEADER format.\r
+ // BITMAPFILEHEADER + BITMAPINFOHEADER = BMP_IMAGE_HEADER\r
+ //\r
+ if (BmpHeader->HeaderSize != sizeof (BMP_IMAGE_HEADER) - ((UINTN) &(((BMP_IMAGE_HEADER *)0)->HeaderSize))) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+\r
+ //\r
+ // The data size in each line must be 4 byte alignment.\r
+ //\r
+ DataSizePerLine = ((BmpHeader->PixelWidth * BmpHeader->BitPerPixel + 31) >> 3) & (~0x3);\r
+ BltBufferSize = MultU64x32 (DataSizePerLine, BmpHeader->PixelHeight);\r
+ if (BltBufferSize > (UINT32) ~0) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ if ((BmpHeader->Size != BmpImageSize) || \r
+ (BmpHeader->Size < BmpHeader->ImageOffset) ||\r
+ (BmpHeader->Size - BmpHeader->ImageOffset != BmpHeader->PixelHeight * DataSizePerLine)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
//\r
// Calculate Color Map offset in the image.\r
//\r
Image = BmpImage;\r
BmpColorMap = (BMP_COLOR_MAP *) (Image + sizeof (BMP_IMAGE_HEADER));\r
+ if (BmpHeader->ImageOffset < sizeof (BMP_IMAGE_HEADER)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ if (BmpHeader->ImageOffset > sizeof (BMP_IMAGE_HEADER)) {\r
+ switch (BmpHeader->BitPerPixel) {\r
+ case 1:\r
+ ColorMapNum = 2;\r
+ break;\r
+ case 4:\r
+ ColorMapNum = 16;\r
+ break;\r
+ case 8:\r
+ ColorMapNum = 256;\r
+ break;\r
+ default:\r
+ ColorMapNum = 0;\r
+ break;\r
+ }\r
+ if (BmpHeader->ImageOffset - sizeof (BMP_IMAGE_HEADER) != sizeof (BMP_COLOR_MAP) * ColorMapNum) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+ }\r
\r
//\r
// Calculate graphics image data address in the image\r
/*++\r
\r
-Copyright (c) 2004 - 2010, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2004 - 2012, Intel Corporation. All rights reserved.<BR>\r
This program and the accompanying materials \r
are licensed and made available under the terms and conditions of the BSD License \r
which accompanies this distribution. The full text of the license may be found at \r
UINTN Height;\r
UINTN Width;\r
UINTN ImageIndex;\r
+ UINTN DataSizePerLine;\r
BOOLEAN IsAllocated;\r
+ UINT32 ColorMapNum;\r
+\r
+ if (sizeof (BMP_IMAGE_HEADER) > BmpImageSize) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
\r
BmpHeader = (BMP_IMAGE_HEADER *) BmpImage;\r
+\r
if (BmpHeader->CharB != 'B' || BmpHeader->CharM != 'M') {\r
return EFI_UNSUPPORTED;\r
}\r
\r
+ //\r
+ // Doesn't support compress.\r
+ //\r
if (BmpHeader->CompressionType != 0) {\r
return EFI_UNSUPPORTED;\r
}\r
\r
+ //\r
+ // Only support BITMAPINFOHEADER format.\r
+ // BITMAPFILEHEADER + BITMAPINFOHEADER = BMP_IMAGE_HEADER\r
+ //\r
+ if (BmpHeader->HeaderSize != sizeof (BMP_IMAGE_HEADER) - ((UINTN) &(((BMP_IMAGE_HEADER *)0)->HeaderSize))) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+\r
+ //\r
+ // The data size in each line must be 4 byte alignment.\r
+ //\r
+ DataSizePerLine = ((BmpHeader->PixelWidth * BmpHeader->BitPerPixel + 31) >> 3) & (~0x3);\r
+ BltBufferSize = MultU64x32 (DataSizePerLine, BmpHeader->PixelHeight);\r
+ if (BltBufferSize > (UINT32) ~0) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ if ((BmpHeader->Size != BmpImageSize) || \r
+ (BmpHeader->Size < BmpHeader->ImageOffset) ||\r
+ (BmpHeader->Size - BmpHeader->ImageOffset != BmpHeader->PixelHeight * DataSizePerLine)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
//\r
// Calculate Color Map offset in the image.\r
//\r
Image = BmpImage;\r
BmpColorMap = (BMP_COLOR_MAP *) (Image + sizeof (BMP_IMAGE_HEADER));\r
+ if (BmpHeader->ImageOffset < sizeof (BMP_IMAGE_HEADER)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ if (BmpHeader->ImageOffset > sizeof (BMP_IMAGE_HEADER)) {\r
+ switch (BmpHeader->BitPerPixel) {\r
+ case 1:\r
+ ColorMapNum = 2;\r
+ break;\r
+ case 4:\r
+ ColorMapNum = 16;\r
+ break;\r
+ case 8:\r
+ ColorMapNum = 256;\r
+ break;\r
+ default:\r
+ ColorMapNum = 0;\r
+ break;\r
+ }\r
+ if (BmpHeader->ImageOffset - sizeof (BMP_IMAGE_HEADER) != sizeof (BMP_COLOR_MAP) * ColorMapNum) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+ }\r
\r
//\r
// Calculate graphics image data address in the image\r
UINTN Height;\r
UINTN Width;\r
UINTN ImageIndex;\r
+ UINT32 DataSizePerLine;\r
BOOLEAN IsAllocated;\r
+ UINT32 ColorMapNum;\r
+\r
+ if (sizeof (BMP_IMAGE_HEADER) > BmpImageSize) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
\r
BmpHeader = (BMP_IMAGE_HEADER *) BmpImage;\r
\r
return EFI_UNSUPPORTED;\r
}\r
\r
+ //\r
+ // Only support BITMAPINFOHEADER format.\r
+ // BITMAPFILEHEADER + BITMAPINFOHEADER = BMP_IMAGE_HEADER\r
+ //\r
+ if (BmpHeader->HeaderSize != sizeof (BMP_IMAGE_HEADER) - OFFSET_OF(BMP_IMAGE_HEADER, HeaderSize)) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+\r
+ //\r
+ // The data size in each line must be 4 byte alignment.\r
+ //\r
+ DataSizePerLine = ((BmpHeader->PixelWidth * BmpHeader->BitPerPixel + 31) >> 3) & (~0x3);\r
+ BltBufferSize = MultU64x32 (DataSizePerLine, BmpHeader->PixelHeight);\r
+ if (BltBufferSize > (UINT32) ~0) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ if ((BmpHeader->Size != BmpImageSize) || \r
+ (BmpHeader->Size < BmpHeader->ImageOffset) ||\r
+ (BmpHeader->Size - BmpHeader->ImageOffset != BmpHeader->PixelHeight * DataSizePerLine)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
//\r
// Calculate Color Map offset in the image.\r
//\r
Image = BmpImage;\r
BmpColorMap = (BMP_COLOR_MAP *) (Image + sizeof (BMP_IMAGE_HEADER));\r
+ if (BmpHeader->ImageOffset < sizeof (BMP_IMAGE_HEADER)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ if (BmpHeader->ImageOffset > sizeof (BMP_IMAGE_HEADER)) {\r
+ switch (BmpHeader->BitPerPixel) {\r
+ case 1:\r
+ ColorMapNum = 2;\r
+ break;\r
+ case 4:\r
+ ColorMapNum = 16;\r
+ break;\r
+ case 8:\r
+ ColorMapNum = 256;\r
+ break;\r
+ default:\r
+ ColorMapNum = 0;\r
+ break;\r
+ }\r
+ if (BmpHeader->ImageOffset - sizeof (BMP_IMAGE_HEADER) != sizeof (BMP_COLOR_MAP) * ColorMapNum) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+ }\r
\r
//\r
// Calculate graphics image data address in the image\r
// Ensure the BltBufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow\r
//\r
if (BltBufferSize > DivU64x32 ((UINTN) ~0, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL))) {\r
- return EFI_UNSUPPORTED;\r
- }\r
+ return EFI_UNSUPPORTED;\r
+ }\r
BltBufferSize = MultU64x32 (BltBufferSize, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));\r
\r
IsAllocated = FALSE;\r
UINTN NewDestY;\r
UINTN NewHeight;\r
UINTN NewWidth;\r
+ UINT64 BufferSize;\r
\r
UgaDraw = NULL;\r
//\r
FreePool (Blt);\r
}\r
\r
- LogoBlt = AllocateZeroPool (LogoWidth * LogoHeight * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));\r
+ //\r
+ // Ensure the LogoHeight * LogoWidth doesn't overflow\r
+ //\r
+ if (LogoHeight > DivU64x64Remainder ((UINTN) ~0, LogoWidth, NULL)) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+ BufferSize = MultU64x64 (LogoWidth, LogoHeight);\r
+\r
+ //\r
+ // Ensure the BufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow\r
+ //\r
+ if (BufferSize > DivU64x32 ((UINTN) ~0, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL))) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+\r
+ LogoBlt = AllocateZeroPool ((UINTN)BufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL));\r
if (LogoBlt == NULL) {\r
return EFI_OUT_OF_RESOURCES;\r
}\r
IN UINTN Height\r
)\r
{\r
+ UINT64 BufferSize;\r
+\r
if (BltBuffer == NULL) {\r
mIsLogoValid = FALSE;\r
mAcpiBgrtStatusChanged = TRUE;\r
FreePool (mLogoBltBuffer);\r
mLogoBltBuffer = NULL;\r
}\r
+ \r
+ //\r
+ // Ensure the Height * Width doesn't overflow\r
+ //\r
+ if (Height > DivU64x64Remainder ((UINTN) ~0, Width, NULL)) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+ BufferSize = MultU64x64 (Width, Height);\r
+ \r
+ //\r
+ // Ensure the BufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) doesn't overflow\r
+ //\r
+ if (BufferSize > DivU64x32 ((UINTN) ~0, sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL))) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
\r
mLogoBltBuffer = AllocateCopyPool (\r
- Width * Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL),\r
+ (UINTN)BufferSize * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL),\r
BltBuffer\r
);\r
if (mLogoBltBuffer == NULL) {\r
// Allocate memory for BMP file.\r
//\r
PaddingSize = mLogoWidth & 0x3;\r
+\r
+ //\r
+ // First check mLogoWidth * 3 + PaddingSize doesn't overflow\r
+ //\r
+ if (mLogoWidth > (((UINT32) ~0) - PaddingSize) / 3 ) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+\r
+ //\r
+ // Second check (mLogoWidth * 3 + PaddingSize) * mLogoHeight + sizeof (BMP_IMAGE_HEADER) doesn't overflow\r
+ //\r
+ if (mLogoHeight > (((UINT32) ~0) - sizeof (BMP_IMAGE_HEADER)) / (mLogoWidth * 3 + PaddingSize)) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+ \r
BmpSize = (mLogoWidth * 3 + PaddingSize) * mLogoHeight + sizeof (BMP_IMAGE_HEADER);\r
ImageBuffer = BgrtAllocateReservedMemoryBelow4G (BmpSize);\r
if (ImageBuffer == NULL) {\r
projects / mirror_edk2.git / commitdiff