From: Jian J Wang <jian.j.wang@intel.com>
Date: Thu, 28 Dec 2017 02:22:39 +0000 (+0800)
Subject: MdeModulePkg/DxePrintLibPrint2Protocol: Fix error in Precision position calculation
X-Git-Tag: edk2-stable201903~2701
X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=commitdiff_plain;h=941b3c4845146e7bc0203a9e78c4554e11c66863;ds=sidebyside

MdeModulePkg/DxePrintLibPrint2Protocol: Fix error in Precision position calculation

Due to a potential hole in the stop condition of loop, the two continuous
access to ArgumentString (index, index+1) inside the loop might cause the
string ending character ('\0') and the byte after it to be read.

Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
---

diff --git a/MdeModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c b/MdeModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c
index 56534e56c3..570d06d82e 100644
--- a/MdeModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c
+++ b/MdeModulePkg/Library/DxePrintLibPrint2Protocol/PrintLib.c
@@ -2050,7 +2050,10 @@ InternalPrintLibSPrintMarker (
       // Compute the number of characters in ArgumentString and store it in Count
       // ArgumentString is either null-terminated, or it contains Precision characters
       //
-      for (Count = 0; Count < Precision || ((Flags & PRECISION) == 0); Count++) {
+      for (Count = 0;
+            ArgumentString[Count * BytesPerArgumentCharacter] != '\0' &&
+            Count < Precision || ((Flags & PRECISION) == 0);
+            Count++) {
         ArgumentCharacter = ((ArgumentString[Count * BytesPerArgumentCharacter] & 0xff) | ((ArgumentString[Count * BytesPerArgumentCharacter + 1]) << 8)) & ArgumentMask;
         if (ArgumentCharacter == 0) {
           break;
@@ -2107,7 +2110,7 @@ InternalPrintLibSPrintMarker (
     //
     // Copy the string into the output buffer performing the required type conversions
     //
-    while (Index < Count) {
+    while (Index < Count && (*ArgumentString) != '\0') {
       ArgumentCharacter = ((*ArgumentString & 0xff) | (((UINT8)*(ArgumentString + 1)) << 8)) & ArgumentMask;
 
       LengthToReturn += (1 * BytesPerOutputCharacter);