From: Ruiyu Ni <ruiyu.ni@intel.com>
Date: Fri, 2 Feb 2018 10:47:18 +0000 (+0800)
Subject: MdePkg/SafeString: Fix potential out-of-bound memory access
X-Git-Tag: edk2-stable201903~2474
X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=commitdiff_plain;h=56658c22a674062e46f5bfd2d4da71a88bf3c0e5;hp=56658c22a674062e46f5bfd2d4da71a88bf3c0e5;ds=sidebyside

MdePkg/SafeString: Fix potential out-of-bound memory access

Today's implementation of [Ascii]StrnCpyS/[Ascii]StrnCatS calls
StrnLenS () to get the length of source string but supplies the
destination buffer size as max size.
It's a bug that may cause out-of-bound memory access.
For example:
  StrnCpyS (Dest[10], 10, "hello", 6)
  -> StrnLenS ("hello", 10) //< cause out-of bound memory access

In a pool guard enabled environment, when using shell to edit an
existing file which contains empty line, the page fault is met.

The patch fixes the four library functions to avoid such
out-of-bound memory access.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
---