MdeModulePkg DxeCore: Fix potential FV overflow of 4GB boundary on a 32-bit systems.

The traversing of a Memory Mapped FV can overflow the 4GB limit on a 32bit system
during the setting up a Linked List of FFS file inside the FV.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16527 6f19259b-4bc3-4df7-8a09-765794883524

diff --git a/MdeModulePkg/Core/Dxe/FwVol/FwVol.c b/MdeModulePkg/Core/Dxe/FwVol/FwVol.c
index f4a617918829a52924926f895de9a15b220d6a81..0ca765d691e28349c775f2b0440f89dd34b5960a 100644 (file)
--- a/MdeModulePkg/Core/Dxe/FwVol/FwVol.c
+++ b/MdeModulePkg/Core/Dxe/FwVol/FwVol.c
@@ -482,7 +482,7 @@ FvCheck (
     FfsHeader = (EFI_FFS_FILE_HEADER *) (FvDevice->CachedFv);\r
   }\r
   TopFvAddress = FvDevice->EndOfCachedFv;\r
     FfsHeader = (EFI_FFS_FILE_HEADER *) (FvDevice->CachedFv);\r
   }\r
   TopFvAddress = FvDevice->EndOfCachedFv;\r

-  while ((UINT8 *) FfsHeader < TopFvAddress) {\r
+  while (((UINTN) FfsHeader >= (UINTN) FvDevice->CachedFv) && ((UINTN) FfsHeader <= (UINTN) ((UINTN) TopFvAddress - sizeof (EFI_FFS_FILE_HEADER)))) {\r

 \r
     if (FileCached) {\r
       CoreFreePool (CacheFfsHeader);\r
 \r
     if (FileCached) {\r
       CoreFreePool (CacheFfsHeader);\r