From: Leif Lindholm Date: Mon, 13 Jul 2015 11:35:28 +0000 (+0000) Subject: MdePkg: ensure SafeString length functions don't access beyond MaxSize X-Git-Tag: edk2-stable201903~9341 X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=commitdiff_plain;h=2ad9cf37a492e69a4e1b7624d92d9a35fce083fc MdePkg: ensure SafeString length functions don't access beyond MaxSize The StrnLenS and AsciiStrnLenS functions, when presented with a string with no terminating NULL in the first MaxSize characters will check the character at String[MaxSize] before checking if Length < MaxSize. (They return the correct value, but have accessed beyond the stated limit in the process.) Flip the order of the tests to prevent this behaviour. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Leif Lindholm Reviewed-by: Jiewen Yao Reviewed-by: Liming Gao git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17936 6f19259b-4bc3-4df7-8a09-765794883524 --- diff --git a/MdePkg/Library/BaseLib/SafeString.c b/MdePkg/Library/BaseLib/SafeString.c index 7c1b0758f3..b0e1ce72e2 100644 --- a/MdePkg/Library/BaseLib/SafeString.c +++ b/MdePkg/Library/BaseLib/SafeString.c @@ -141,7 +141,7 @@ StrnLenS ( // String then StrnLenS returns MaxSize. At most the first MaxSize characters of String shall // be accessed by StrnLenS. // - for (Length = 0; (*String != 0) && (Length < MaxSize); String++, Length++) { + for (Length = 0; (Length < MaxSize) && (*String != 0); String++, Length++) { ; } return Length; @@ -551,7 +551,7 @@ AsciiStrnLenS ( // String then AsciiStrnLenS returns MaxSize. At most the first MaxSize characters of String shall // be accessed by AsciiStrnLenS. // - for (Length = 0; (*String != 0) && (Length < MaxSize); String++, Length++) { + for (Length = 0; (Length < MaxSize) && (*String != 0); String++, Length++) { ; } return Length;