HexStr[2] = '\0';\r
while (Index < BufferLength) {\r
if (Buffer[Index] == '%') {\r
- if (!NET_IS_HEX_CHAR (Buffer[Index+1]) || !NET_IS_HEX_CHAR (Buffer[Index+2])) {\r
+ if (Index + 1 >= BufferLength || Index + 2 >= BufferLength || !NET_IS_HEX_CHAR (Buffer[Index+1]) || !NET_IS_HEX_CHAR (Buffer[Index+2])) {\r
return EFI_INVALID_PARAMETER;\r
}\r
HexStr[0] = Buffer[Index+1];\r
CHAR8 *FieldNameStr;\r
CHAR8 *FieldValueStr;\r
CHAR8 *StrPtr;\r
+ CHAR8 *EndofHeader;\r
\r
if (String == NULL || FieldName == NULL || FieldValue == NULL) {\r
return NULL;\r
FieldNameStr = NULL;\r
FieldValueStr = NULL;\r
StrPtr = NULL;\r
+ EndofHeader = NULL;\r
+\r
+\r
+ //\r
+ // Check whether the raw HTTP header string is valid or not.\r
+ //\r
+ EndofHeader = AsciiStrStr (String, "\r\n\r\n");\r
+ if (EndofHeader == NULL) {\r
+ return NULL;\r
+ }\r
\r
//\r
// Each header field consists of a name followed by a colon (":") and the field value.\r
\r
//\r
// The field value MAY be preceded by any amount of LWS, though a single SP is preferred.\r
+ // Note: LWS = [CRLF] 1*(SP|HT), it can be '\r\n ' or '\r\n\t' or ' ' or '\t'.\r
+ // CRLF = '\r\n'.\r
+ // SP = ' '.\r
+ // HT = '\t' (Tab).\r
//\r
while (TRUE) {\r
if (*FieldValueStr == ' ' || *FieldValueStr == '\t') {\r
+ //\r
+ // Boundary condition check. \r
+ //\r
+ if ((UINTN)EndofHeader - (UINTN)(FieldValueStr) < 1) {\r
+ return NULL; \r
+ }\r
+ \r
FieldValueStr ++;\r
- } else if (*FieldValueStr == '\r' && *(FieldValueStr + 1) == '\n' &&\r
- (*(FieldValueStr + 2) == ' ' || *(FieldValueStr + 2) == '\t')) {\r
- FieldValueStr = FieldValueStr + 3;\r
+ } else if (*FieldValueStr == '\r') {\r
+ //\r
+ // Boundary condition check. \r
+ //\r
+ if ((UINTN)EndofHeader - (UINTN)(FieldValueStr) < 3) {\r
+ return NULL; \r
+ }\r
+\r
+ if (*(FieldValueStr + 1) == '\n' && (*(FieldValueStr + 2) == ' ' || *(FieldValueStr + 2) == '\t')) {\r
+ FieldValueStr = FieldValueStr + 3;\r
+ }\r
} else {\r
break;\r
}\r