MdeModulePkg/DxeCapsuleLibFmp: Add more check for the UX capsule
authorRuiyu Ni <ruiyu.ni@intel.com>
Fri, 16 Mar 2018 07:04:05 +0000 (15:04 +0800)
committerRuiyu Ni <ruiyu.ni@intel.com>
Fri, 16 Mar 2018 09:34:42 +0000 (17:34 +0800)
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c

index 15dbc00..555c597 100644 (file)
@@ -330,8 +330,25 @@ DisplayCapsuleImage (
   UINTN                         Width;\r
   EFI_GRAPHICS_OUTPUT_PROTOCOL  *GraphicsOutput;\r
 \r
-  ImagePayload = (DISPLAY_DISPLAY_PAYLOAD *)(CapsuleHeader + 1);\r
-  PayloadSize = CapsuleHeader->CapsuleImageSize - sizeof(EFI_CAPSULE_HEADER);\r
+  //\r
+  // UX capsule doesn't have extended header entries.\r
+  //\r
+  if (CapsuleHeader->HeaderSize != sizeof (EFI_CAPSULE_HEADER)) {\r
+    return EFI_UNSUPPORTED;\r
+  }\r
+  ImagePayload = (DISPLAY_DISPLAY_PAYLOAD *)((UINTN) CapsuleHeader + CapsuleHeader->HeaderSize);\r
+  //\r
+  // (CapsuleImageSize > HeaderSize) is guaranteed by IsValidCapsuleHeader().\r
+  //\r
+  PayloadSize = CapsuleHeader->CapsuleImageSize - CapsuleHeader->HeaderSize;\r
+\r
+  //\r
+  // Make sure the image payload at least contain the DISPLAY_DISPLAY_PAYLOAD header.\r
+  // Further size check is performed by the logic translating BMP to GOP BLT.\r
+  //\r
+  if (PayloadSize <= sizeof (DISPLAY_DISPLAY_PAYLOAD)) {\r
+    return EFI_INVALID_PARAMETER;\r
+  }\r
 \r
   if (ImagePayload->Version != 1) {\r
     return EFI_UNSUPPORTED;\r