MdeModulePkg FileExplorerLib: Fix potential Integer Overflow.

In function 'LibAppendFileName' of 'FileExplorer.c':
"
MaxLen = (Size1 + Size2 + sizeof (CHAR16))/ sizeof (CHAR16);
"
Overflow may happen here. MaxLen might become a very small number.
This patch adds integer overflow checker.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>

diff --git a/MdeModulePkg/Library/FileExplorerLib/FileExplorer.c b/MdeModulePkg/Library/FileExplorerLib/FileExplorer.c
index 59c851b7b3b5c381b555b2296c87688148f28c05..41a22aa00c08b70c607170dd45ac123b590a045c 100644 (file)
--- a/MdeModulePkg/Library/FileExplorerLib/FileExplorer.c
+++ b/MdeModulePkg/Library/FileExplorerLib/FileExplorer.c
@@ -620,6 +620,14 @@ LibAppendFileName (
 \r
   Size1 = StrSize (Str1);\r
   Size2 = StrSize (Str2);\r
+  \r
+  //\r
+  // Check overflow\r
+  //\r
+  if (((MAX_UINTN - Size1) < Size2) || ((MAX_UINTN - Size1 - Size2) < sizeof(CHAR16))) {\r
+    return NULL;\r
+  }\r
+  \r
   MaxLen = (Size1 + Size2 + sizeof (CHAR16))/ sizeof (CHAR16);\r
   Str   = AllocateZeroPool (Size1 + Size2 + sizeof (CHAR16));\r
   ASSERT (Str != NULL);\r
@@ -963,6 +971,7 @@ LibGetFileHandleFromDevicePath (
     // the file system support below to be skipped.\r
     //\r
     Status = EFI_OUT_OF_RESOURCES;\r
+    goto Done;\r
   }\r
         \r
   //\r
@@ -992,6 +1001,11 @@ LibGetFileHandleFromDevicePath (
       *ParentFileName = AllocateCopyPool (StrSize (((FILEPATH_DEVICE_PATH *) DevicePathNode)->PathName), ((FILEPATH_DEVICE_PATH *) DevicePathNode)->PathName);\r
     } else {\r
       TempPath = LibAppendFileName (*ParentFileName, ((FILEPATH_DEVICE_PATH *) DevicePathNode)->PathName);\r
+      if (TempPath == NULL) {\r
+        LastHandle->Close (LastHandle);\r
+        Status = EFI_OUT_OF_RESOURCES;\r
+        goto Done;\r
+      }\r
       FreePool (*ParentFileName);\r
       *ParentFileName = TempPath;\r
     }\r
@@ -1067,12 +1081,14 @@ LibFindFiles (
   // Pass 1 to get Directories\r
   // Pass 2 to get files that are EFI images\r
   //\r
+  Status = EFI_SUCCESS;\r
   for (Pass = 1; Pass <= 2; Pass++) {\r
     FileHandle->SetPosition (FileHandle, 0);\r
     for (;;) {\r
       BufferSize  = DirBufferSize;\r
       Status      = FileHandle->Read (FileHandle, &BufferSize, DirInfo);\r
       if (EFI_ERROR (Status) || BufferSize == 0) {\r
+        Status = EFI_SUCCESS;\r
         break;\r
       }\r
 \r
@@ -1095,12 +1111,18 @@ LibFindFiles (
 \r
       NewMenuEntry = LibCreateMenuEntry ();\r
       if (NULL == NewMenuEntry) {\r
-        return EFI_OUT_OF_RESOURCES;\r
+        Status = EFI_OUT_OF_RESOURCES;\r
+        goto Done;\r
       }\r
 \r
       NewFileContext = (FILE_CONTEXT *) NewMenuEntry->VariableContext;\r
       NewFileContext->DeviceHandle = DeviceHandle;\r
       NewFileContext->FileName = LibAppendFileName (FileName, DirInfo->FileName);\r
+      if  (NewFileContext->FileName == NULL) {\r
+        LibDestroyMenuEntry (NewMenuEntry);\r
+        Status = EFI_OUT_OF_RESOURCES;\r
+        goto Done;\r
+      }\r
       NewFileContext->FileHandle = FileHandle;\r
       NewFileContext->DevicePath = FileDevicePath (NewFileContext->DeviceHandle, NewFileContext->FileName);\r
       NewMenuEntry->HelpString = NULL;\r
@@ -1135,9 +1157,11 @@ LibFindFiles (
 \r
   gFileExplorerPrivate.FsOptionMenu->MenuNumber = OptionNumber;\r
 \r
+Done:\r
+\r
   FreePool (DirInfo);\r
 \r
-  return EFI_SUCCESS;\r
+  return Status;\r
 }\r
 \r
 /**\r