From 577870d5603dca32d878e9908a7ec4d2852b590a Mon Sep 17 00:00:00 2001
From: Hao Wu <hao.a.wu@intel.com>
Date: Mon, 13 Jul 2015 01:23:37 +0000
Subject: [PATCH] IntelFrameworkModulePkg BootMngr: Fix potential read over
 memory boundary

This commit will resolve the issue brought by r17737.

HelpString = AllocateCopyPool (HelpSize, L"Device Path : ");

The above using of AllocateCopyPool() will read contents out of the scope
of the constant string. Potential risk for the constant string allocated
at the boundary of memory region.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Qiu Shumin <shumin.qiu@intel.com>
Reviewed-by: Jeff Fan <jeff.fan@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17932 6f19259b-4bc3-4df7-8a09-765794883524
---
 .../Universal/BdsDxe/BootMngr/BootManager.c                    | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/IntelFrameworkModulePkg/Universal/BdsDxe/BootMngr/BootManager.c b/IntelFrameworkModulePkg/Universal/BdsDxe/BootMngr/BootManager.c
index 978959d6e7..6efd783ab2 100644
--- a/IntelFrameworkModulePkg/Universal/BdsDxe/BootMngr/BootManager.c
+++ b/IntelFrameworkModulePkg/Universal/BdsDxe/BootMngr/BootManager.c
@@ -319,8 +319,9 @@ CallBootManager (
 
     TempStr = DevicePathToStr (Option->DevicePath);
     HelpSize = StrSize (TempStr) + StrSize (L"Device Path : ");
-    HelpString = AllocateCopyPool (HelpSize, L"Device Path : ");
+    HelpString = AllocateZeroPool (HelpSize);
     ASSERT (HelpString != NULL);
+    StrCatS (HelpString, HelpSize / sizeof (CHAR16), L"Device Path : ");
     StrCatS (HelpString, HelpSize / sizeof (CHAR16), TempStr);
 
     HelpToken = HiiSetString (HiiHandle, 0, HelpString, NULL);
-- 
2.39.2