From: Hao Wu Date: Mon, 13 Jul 2015 01:23:37 +0000 (+0000) Subject: IntelFrameworkModulePkg BootMngr: Fix potential read over memory boundary X-Git-Tag: edk2-stable201903~9345 X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=commitdiff_plain;h=577870d5603dca32d878e9908a7ec4d2852b590a;hp=a3c9617ea6a02c2ac747cf274fe9025f2d42c9bb IntelFrameworkModulePkg BootMngr: Fix potential read over memory boundary This commit will resolve the issue brought by r17737. HelpString = AllocateCopyPool (HelpSize, L"Device Path : "); The above using of AllocateCopyPool() will read contents out of the scope of the constant string. Potential risk for the constant string allocated at the boundary of memory region. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu Reviewed-by: Qiu Shumin Reviewed-by: Jeff Fan git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17932 6f19259b-4bc3-4df7-8a09-765794883524 --- diff --git a/IntelFrameworkModulePkg/Universal/BdsDxe/BootMngr/BootManager.c b/IntelFrameworkModulePkg/Universal/BdsDxe/BootMngr/BootManager.c index 978959d6e7..6efd783ab2 100644 --- a/IntelFrameworkModulePkg/Universal/BdsDxe/BootMngr/BootManager.c +++ b/IntelFrameworkModulePkg/Universal/BdsDxe/BootMngr/BootManager.c @@ -319,8 +319,9 @@ CallBootManager ( TempStr = DevicePathToStr (Option->DevicePath); HelpSize = StrSize (TempStr) + StrSize (L"Device Path : "); - HelpString = AllocateCopyPool (HelpSize, L"Device Path : "); + HelpString = AllocateZeroPool (HelpSize); ASSERT (HelpString != NULL); + StrCatS (HelpString, HelpSize / sizeof (CHAR16), L"Device Path : "); StrCatS (HelpString, HelpSize / sizeof (CHAR16), TempStr); HelpToken = HiiSetString (HiiHandle, 0, HelpString, NULL);