From 81464cf1067b6b1d26679b20104c665e902647c5 Mon Sep 17 00:00:00 2001
From: xli24 <xli24@6f19259b-4bc3-4df7-8a09-765794883524>
Date: Tue, 13 Jan 2009 08:29:55 +0000
Subject: [PATCH] Update for code security.

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@7255 6f19259b-4bc3-4df7-8a09-765794883524
---
 MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c        | 17 +++++++++++++++++
 MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.h        |  1 +
 .../Bus/Usb/UsbMassStorageDxe/UsbMassImpl.c     |  6 +++---
 .../Library/DxePlatDriOverLib/PlatDriOverLib.c  |  2 ++
 4 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
index 79598c5a01..3c72822a6d 100644
--- a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
+++ b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
@@ -1161,6 +1161,8 @@ KeyboardHandler (
       // Handle repeat key
       //
       KeyDescriptor = GetKeyDescriptor (UsbKeyboardDevice, CurKeyCodeBuffer[Index]);
+      ASSERT (KeyDescriptor != NULL);
+
       if (KeyDescriptor->Modifier == EFI_NUM_LOCK_MODIFIER || KeyDescriptor->Modifier == EFI_CAPS_LOCK_MODIFIER) {
         //
         // For NumLock or CapsLock pressed, there is no need to handle repeat key for them.
@@ -1302,6 +1304,8 @@ USBParseKey (
     RemoveKeyCode (&(UsbKeyboardDevice->KeyboardBuffer), &UsbKey);
 
     KeyDescriptor = GetKeyDescriptor (UsbKeyboardDevice, UsbKey.KeyCode);
+    ASSERT (KeyDescriptor != NULL);
+
     if (!UsbKey.Down) {
       //
       // Key is released.
@@ -1546,6 +1550,7 @@ USBParseKey (
   @retval EFI_INVALID_PARAMETER KeyCode is not in the range of 0x4 to 0x65.
   @retval EFI_INVALID_PARAMETER Translated EFI_INPUT_KEY has zero for both ScanCode and UnicodeChar.
   @retval EFI_NOT_READY         KeyCode represents a dead key with EFI_NS_KEY_MODIFIER
+  @retval EFI_DEVICE_ERROR      Keyboard layout is invalid.
 
 **/
 EFI_STATUS
@@ -1569,6 +1574,7 @@ UsbKeyCodeToEfiInputKey (
   }
 
   KeyDescriptor = GetKeyDescriptor (UsbKeyboardDevice, KeyCode);
+  ASSERT (KeyDescriptor != NULL);
 
   if (KeyDescriptor->Modifier == EFI_NS_KEY_MODIFIER) {
     //
@@ -1587,6 +1593,13 @@ UsbKeyCodeToEfiInputKey (
     UsbKeyboardDevice->CurrentNsKey = NULL;
   }
 
+  //
+  // Make sure modifier of Key Descriptor is in the valid range according to UEFI spec.
+  //
+  if (KeyDescriptor->Modifier > EFI_FUNCTION_KEY_TWELVE_MODIFIER) {
+    return EFI_DEVICE_ERROR;
+  }
+
   Key->ScanCode = ModifierValueToEfiScanCodeConvertionTable[KeyDescriptor->Modifier];
   Key->UnicodeChar = KeyDescriptor->Unicode;
 
@@ -1804,6 +1817,8 @@ InsertKeyCode (
     RemoveKeyCode (KeyboardBuffer, &UsbKey);
   }
 
+  ASSERT (KeyboardBuffer->BufferTail <= MAX_KEY_ALLOWED);
+
   KeyboardBuffer->Buffer[KeyboardBuffer->BufferTail].KeyCode = Key;
   KeyboardBuffer->Buffer[KeyboardBuffer->BufferTail].Down    = Down;
 
@@ -1835,6 +1850,8 @@ RemoveKeyCode (
     return EFI_DEVICE_ERROR;
   }
 
+  ASSERT (KeyboardBuffer->BufferHead <= MAX_KEY_ALLOWED);
+
   UsbKey->KeyCode = KeyboardBuffer->Buffer[KeyboardBuffer->BufferHead].KeyCode;
   UsbKey->Down    = KeyboardBuffer->Buffer[KeyboardBuffer->BufferHead].Down;
 
diff --git a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.h b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.h
index aab3d24e67..60ebee1daa 100644
--- a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.h
+++ b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.h
@@ -161,6 +161,7 @@ USBParseKey (
   @retval EFI_INVALID_PARAMETER KeyCode is not in the range of 0x4 to 0x65.
   @retval EFI_INVALID_PARAMETER Translated EFI_INPUT_KEY has zero for both ScanCode and UnicodeChar.
   @retval EFI_NOT_READY         KeyCode represents a dead key with EFI_NS_KEY_MODIFIER
+  @retval EFI_DEVICE_ERROR      Keyboard layout is invalid.
 
 **/
 EFI_STATUS
diff --git a/MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassImpl.c b/MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassImpl.c
index 0db4c14356..15fdad573d 100644
--- a/MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassImpl.c
+++ b/MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassImpl.c
@@ -596,10 +596,10 @@ UsbMassInitMultiLun (
   return EFI_SUCCESS;
 
 ON_ERROR:
-  if (UsbMass->DevicePath != NULL) {
-    FreePool (UsbMass->DevicePath);
-  }
   if (UsbMass != NULL) {
+    if (UsbMass->DevicePath != NULL) {
+      FreePool (UsbMass->DevicePath);
+    }
     FreePool (UsbMass);
   }
   if (UsbIo != NULL) {
diff --git a/MdeModulePkg/Library/DxePlatDriOverLib/PlatDriOverLib.c b/MdeModulePkg/Library/DxePlatDriOverLib/PlatDriOverLib.c
index 81570a2111..f2aad41e7a 100644
--- a/MdeModulePkg/Library/DxePlatDriOverLib/PlatDriOverLib.c
+++ b/MdeModulePkg/Library/DxePlatDriOverLib/PlatDriOverLib.c
@@ -1800,6 +1800,8 @@ ConnectDevicePath (
     // After this call DevicePath points to the next Instance
     //
     Instance  = GetNextDevicePathInstance (&DevicePath, &Size);
+    ASSERT (Instance != NULL);
+
     Next      = Instance;
     while (!IsDevicePathEndType (Next)) {
       Next = NextDevicePathNode (Next);
-- 
2.39.5