From: Jian J Wang Date: Mon, 25 Dec 2017 02:07:39 +0000 (+0800) Subject: MdePkg/BasePrintLib: Fix error in Precision position calculation X-Git-Tag: edk2-stable201903~2702 X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=commitdiff_plain;h=6805854a736b0e0192fb4863da4db4295345c87b;ds=sidebyside MdePkg/BasePrintLib: Fix error in Precision position calculation Due to a potential hole in the stop condition of loop, the two continuous access to ArgumentString (index, index+1) inside the loop might cause the string ending character ('\0') and the byte after it to be read. Cc: Michael D Kinney Cc: Liming Gao Cc: Jiewen Yao Cc: Star Zeng Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Jian J Wang Reviewed-by: Liming Gao --- diff --git a/MdePkg/Library/BasePrintLib/PrintLibInternal.c b/MdePkg/Library/BasePrintLib/PrintLibInternal.c index 28d946472f..fc57255068 100644 --- a/MdePkg/Library/BasePrintLib/PrintLibInternal.c +++ b/MdePkg/Library/BasePrintLib/PrintLibInternal.c @@ -1107,7 +1107,10 @@ BasePrintLibSPrintMarker ( // Compute the number of characters in ArgumentString and store it in Count // ArgumentString is either null-terminated, or it contains Precision characters // - for (Count = 0; Count < Precision || ((Flags & PRECISION) == 0); Count++) { + for (Count = 0; + ArgumentString[Count * BytesPerArgumentCharacter] != '\0' && + (Count < Precision || ((Flags & PRECISION) == 0)); + Count++) { ArgumentCharacter = ((ArgumentString[Count * BytesPerArgumentCharacter] & 0xff) | ((ArgumentString[Count * BytesPerArgumentCharacter + 1]) << 8)) & ArgumentMask; if (ArgumentCharacter == 0) { break; @@ -1164,7 +1167,7 @@ BasePrintLibSPrintMarker ( // // Copy the string into the output buffer performing the required type conversions // - while (Index < Count) { + while (Index < Count && (*ArgumentString) != '\0') { ArgumentCharacter = ((*ArgumentString & 0xff) | (((UINT8)*(ArgumentString + 1)) << 8)) & ArgumentMask; LengthToReturn += (1 * BytesPerOutputCharacter);