From: Ruiyu Ni <ruiyu.ni@intel.com>
Date: Wed, 13 Apr 2016 06:11:38 +0000 (+0800)
Subject: MdeModulePkg/Ps2Mouse: Fix potential buffer overflow issue.
X-Git-Tag: edk2-stable201903~7333
X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=commitdiff_plain;h=aab04141dc13f2a0a6423c859c29fd3ef8761595;ds=sidebyside

MdeModulePkg/Ps2Mouse: Fix potential buffer overflow issue.

Count is initially 1 but is assigned to 2 in case PS2_READ_DATA_BYTE.
Though the state machine doesn't go back from PS2_READ_DATA_BYTE to
PS2_READ_BYTE_ONE (not a true bug), force assign Count to 1 to avoid
potential buffer overflow issue.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Reviewed-by: Shumin Qiu <shumin.qiu@intel.com>
---

diff --git a/MdeModulePkg/Bus/Isa/Ps2MouseDxe/CommPs2.c b/MdeModulePkg/Bus/Isa/Ps2MouseDxe/CommPs2.c
index 7539c3217a..0c0a1f48d9 100644
--- a/MdeModulePkg/Bus/Isa/Ps2MouseDxe/CommPs2.c
+++ b/MdeModulePkg/Bus/Isa/Ps2MouseDxe/CommPs2.c
@@ -343,7 +343,6 @@ PS2MouseGetPacket (
   BOOLEAN     RButton;
 
   KeyboardEnable  = FALSE;
-  Count           = 1;
   State           = PS2_READ_BYTE_ONE;
 
   //
@@ -357,6 +356,7 @@ PS2MouseGetPacket (
       // Read mouse first byte data, if failed, immediately return
       //
       KbcDisableAux ();
+      Count  = 1;
       Status = PS2MouseRead (&Data, &Count, State);
       if (EFI_ERROR (Status)) {
         KbcEnableAux ();