MdeModulePkg: Fix potential buffer overflow issues.

author Eric Dong <eric.dong@intel.com>

Tue, 19 May 2015 09:26:25 +0000 (09:26 +0000)

committer ydong10 <ydong10@Edk2>

Tue, 19 May 2015 09:26:25 +0000 (09:26 +0000)
author Eric Dong <eric.dong@intel.com>
Tue, 19 May 2015 09:26:25 +0000 (09:26 +0000)
committer ydong10 <ydong10@Edk2>
Tue, 19 May 2015 09:26:25 +0000 (09:26 +0000)
diff --git a/MdeModulePkg/Universal/DisplayEngineDxe/FormDisplay.h b/MdeModulePkg/Universal/DisplayEngineDxe/FormDisplay.h

index eeb9b2f3182525015a716f650c002dcdbbb8b502..063e94c6bc4d45139ca508fac6e7b1c4cb004c59 100644 (file)
--- a/MdeModulePkg/Universal/DisplayEngineDxe/FormDisplay.h
+++ b/MdeModulePkg/Universal/DisplayEngineDxe/FormDisplay.h
@@ -113,8 +113,9 @@ extern BOOLEAN           gMisMatch;
  //\r
  // It take 23 characters including the NULL to print a 64 bits number with "[" and "]".\r
  // pow(2, 64) = [18446744073709551616]\r
+// with extra '-' flat, set the width to 24.\r
  //\r
-#define MAX_NUMERIC_INPUT_WIDTH 23\r
+#define MAX_NUMERIC_INPUT_WIDTH 24\r
  \r
  #define EFI_HII_EXPRESSION_INCONSISTENT_IF   0\r
  #define EFI_HII_EXPRESSION_NO_SUBMIT_IF      1\r
diff --git a/MdeModulePkg/Universal/SetupBrowserDxe/Expression.c b/MdeModulePkg/Universal/SetupBrowserDxe/Expression.c

index 01e114b0e34f481d34bd832701de479080bc3660..637cfda3f6f2d48a39003bafc156ca54de41b2eb 100644 (file)
--- a/MdeModulePkg/Universal/SetupBrowserDxe/Expression.c
+++ b/MdeModulePkg/Universal/SetupBrowserDxe/Expression.c
@@ -1561,12 +1561,15 @@ IfrMatch2 (
                          &BufferSize,\r
                          HandleBuffer);\r
  \r
-  } else if (EFI_ERROR (Status)) {\r
+  }\r
+\r
+  if (EFI_ERROR (Status)) {\r
      Result->Type = EFI_IFR_TYPE_UNDEFINED;\r
      Status = EFI_SUCCESS;\r
      goto Done;\r
    }\r
  \r
+  ASSERT (HandleBuffer != NULL);\r
    for ( Index = 0; Index < BufferSize / sizeof(EFI_HANDLE); Index ++) {\r
      Status = gBS->HandleProtocol (\r
                    HandleBuffer[Index],\r
diff --git a/MdeModulePkg/Universal/SetupBrowserDxe/IfrParse.c b/MdeModulePkg/Universal/SetupBrowserDxe/IfrParse.c

index 8ddc449e69b63c00b5aea2a20c364b5b1c0efa5e..3785c32f3c6ae47f4fa85a1d1a025522d56dcefb 100644 (file)
--- a/MdeModulePkg/Universal/SetupBrowserDxe/IfrParse.c
+++ b/MdeModulePkg/Universal/SetupBrowserDxe/IfrParse.c
@@ -2144,6 +2144,7 @@ ParseOpCodes (
      // Option\r
      //\r
      case EFI_IFR_ONE_OF_OPTION_OP:\r
+      ASSERT (ParentStatement != NULL);\r
        if (ParentStatement->Operand == EFI_IFR_ORDERED_LIST_OP && ((((EFI_IFR_ONE_OF_OPTION *) OpCodeData)->Flags & (EFI_IFR_OPTION_DEFAULT | EFI_IFR_OPTION_DEFAULT_MFG)) != 0)) {\r
          //\r
          // It's keep the default value for ordered list opcode.\r
@@ -2198,7 +2199,6 @@ ParseOpCodes (
          CopyMem (CurrentOption->SuppressExpression->Expression, GetConditionalExpressionList(ExpressOption), (UINTN) (sizeof (FORM_EXPRESSION *) * ConditionalExprCount));\r
        }\r
  \r
-      ASSERT (ParentStatement != NULL);\r
        //\r
        // Insert to Option list of current Question\r
        //\r
author	Eric Dong <eric.dong@intel.com>
	Tue, 19 May 2015 09:26:25 +0000 (09:26 +0000)
committer	ydong10 <ydong10@Edk2>
	Tue, 19 May 2015 09:26:25 +0000 (09:26 +0000)
MdeModulePkg/Universal/DisplayEngineDxe/FormDisplay.h		patch \| blob \| blame \| history
MdeModulePkg/Universal/SetupBrowserDxe/Expression.c		patch \| blob \| blame \| history
MdeModulePkg/Universal/SetupBrowserDxe/IfrParse.c		patch \| blob \| blame \| history