From: Ruiyu Ni <ruiyu.ni@intel.com>
Date: Mon, 5 Feb 2018 05:49:32 +0000 (+0800)
Subject: ShellPkg/map: Fix out-of-bound read when "map fsn"
X-Git-Tag: edk2-stable201903~2473
X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=commitdiff_plain;h=4887443e4f03ec42ba422483f191ffe25a78eb3d;ds=inline

ShellPkg/map: Fix out-of-bound read when "map fsn"

The below code reads additional one CHAR16 when copying
content from Specific to NewSpecific.
NewSpecific = AllocateCopyPool(
                StrSize(Specific) + sizeof(CHAR16), Specific
                );

The patch fixes this issue.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Reviewed-by: Jaben Carsey <jaben.carsey@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
---

diff --git a/ShellPkg/Library/UefiShellLevel2CommandsLib/Map.c b/ShellPkg/Library/UefiShellLevel2CommandsLib/Map.c
index 3f5925f507..9166ca2205 100644
--- a/ShellPkg/Library/UefiShellLevel2CommandsLib/Map.c
+++ b/ShellPkg/Library/UefiShellLevel2CommandsLib/Map.c
@@ -1,7 +1,7 @@
 /** @file
   Main file for map shell level 2 command.
 
-  Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
   (C) Copyright 2013-2015 Hewlett-Packard Development Company, L.P.<BR>
   (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
   
@@ -220,19 +220,25 @@ MappingListHasType(
   IN CONST BOOLEAN    Consist
   )
 {
-  CHAR16 *NewSpecific;
-  RETURN_STATUS  Status;
+  CHAR16              *NewSpecific;
+  RETURN_STATUS       Status;
+  UINTN               Length;
   
   //
   // specific has priority
   //
   if (Specific != NULL) {
-    NewSpecific = AllocateCopyPool(StrSize(Specific) + sizeof(CHAR16), Specific);
+    Length      = StrLen (Specific);
+    //
+    // Allocate enough buffer for Specific and potential ":"
+    //
+    NewSpecific = AllocatePool ((Length + 2) * sizeof(CHAR16));
     if (NewSpecific == NULL){
       return FALSE;
     }
-    if (NewSpecific[StrLen(NewSpecific)-1] != L':') {
-      Status = StrnCatS(NewSpecific, (StrSize(Specific) + sizeof(CHAR16))/sizeof(CHAR16), L":", StrLen(L":"));
+    StrCpyS (NewSpecific, Length + 2, Specific);
+    if (Specific[Length - 1] != L':') {
+      Status = StrnCatS(NewSpecific, Length + 2, L":", StrLen(L":"));
       if (EFI_ERROR (Status)) {
         FreePool(NewSpecific);
         return FALSE;