From: Star Zeng <star.zeng@intel.com>
Date: Wed, 17 Dec 2014 00:39:51 +0000 (+0000)
Subject: MdeModulePkg DxeCore: Fix potential FV overflow of 4GB boundary on a 32-bit systems.
X-Git-Tag: edk2-stable201903~10522
X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=commitdiff_plain;h=fd8a2eb062678ea4f286974137bb2aec259e7321

MdeModulePkg DxeCore: Fix potential FV overflow of 4GB boundary on a 32-bit systems.

The traversing of a Memory Mapped FV can overflow the 4GB limit on a 32bit system
during the setting up a Linked List of FFS file inside the FV.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16527 6f19259b-4bc3-4df7-8a09-765794883524
---

diff --git a/MdeModulePkg/Core/Dxe/FwVol/FwVol.c b/MdeModulePkg/Core/Dxe/FwVol/FwVol.c
index f4a6179188..0ca765d691 100644
--- a/MdeModulePkg/Core/Dxe/FwVol/FwVol.c
+++ b/MdeModulePkg/Core/Dxe/FwVol/FwVol.c
@@ -482,7 +482,7 @@ FvCheck (
     FfsHeader = (EFI_FFS_FILE_HEADER *) (FvDevice->CachedFv);
   }
   TopFvAddress = FvDevice->EndOfCachedFv;
-  while ((UINT8 *) FfsHeader < TopFvAddress) {
+  while (((UINTN) FfsHeader >= (UINTN) FvDevice->CachedFv) && ((UINTN) FfsHeader <= (UINTN) ((UINTN) TopFvAddress - sizeof (EFI_FFS_FILE_HEADER)))) {
 
     if (FileCached) {
       CoreFreePool (CacheFfsHeader);