From 5ad66ec6925f1564137752be4d8656d462ebeaf2 Mon Sep 17 00:00:00 2001
From: Dandan Bi <dandan.bi@intel.com>
Date: Mon, 29 Jun 2015 02:36:31 +0000
Subject: [PATCH] MdeModulePkg:Use safe string functions

Replace unsafe String functions with new added safe string functions

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17724 6f19259b-4bc3-4df7-8a09-765794883524
---
 MdeModulePkg/Library/UefiHiiLib/HiiLib.c      | 25 +++++---
 .../Universal/DisplayEngineDxe/FormDisplay.c  | 32 +++++-----
 .../Universal/DisplayEngineDxe/InputHandler.c | 20 +++---
 .../DisplayEngineDxe/ProcessOptions.c         | 30 +++++----
 .../Universal/DriverSampleDxe/DriverSample.c  | 10 +--
 .../HiiDatabaseDxe/ConfigKeywordHandler.c     | 56 +++++++++--------
 .../Universal/HiiDatabaseDxe/ConfigRouting.c  | 62 ++++++++++---------
 .../Universal/HiiDatabaseDxe/Database.c       |  6 +-
 MdeModulePkg/Universal/HiiDatabaseDxe/Font.c  | 20 +++---
 .../Universal/HiiDatabaseDxe/String.c         | 10 +--
 .../Universal/SetupBrowserDxe/Expression.c    |  8 ++-
 .../Universal/SetupBrowserDxe/IfrParse.c      | 17 +++--
 .../Universal/SetupBrowserDxe/Setup.c         | 60 ++++++++++--------
 13 files changed, 201 insertions(+), 155 deletions(-)

diff --git a/MdeModulePkg/Library/UefiHiiLib/HiiLib.c b/MdeModulePkg/Library/UefiHiiLib/HiiLib.c
index 7ae5c4c077..bee5e0d22c 100644
--- a/MdeModulePkg/Library/UefiHiiLib/HiiLib.c
+++ b/MdeModulePkg/Library/UefiHiiLib/HiiLib.c
@@ -1,7 +1,7 @@
 /** @file
   HII Library implementation that uses DXE protocols and services.
 
-  Copyright (c) 2006 - 2013, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2006 - 2015, Intel Corporation. All rights reserved.<BR>
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
   which accompanies this distribution.  The full text of the license may be found at
@@ -606,6 +606,7 @@ HiiConstructConfigHdr (
   CHAR16                    *ReturnString;
   UINTN                     Index;
   UINT8                     *Buffer;
+  UINTN                     MaxLen;
 
   //
   // Compute the length of Name in Unicode characters.  
@@ -636,7 +637,8 @@ HiiConstructConfigHdr (
   // GUID=<HexCh>32&NAME=<Char>NameLength&PATH=<HexChar>DevicePathSize <Null>
   // | 5 | sizeof (EFI_GUID) * 2 | 6 | NameStrLen*4 | 6 | DevicePathSize * 2 | 1 |
   //
-  String = AllocateZeroPool ((5 + sizeof (EFI_GUID) * 2 + 6 + NameLength * 4 + 6 + DevicePathSize * 2 + 1) * sizeof (CHAR16));
+  MaxLen = 5 + sizeof (EFI_GUID) * 2 + 6 + NameLength * 4 + 6 + DevicePathSize * 2 + 1;
+  String = AllocateZeroPool (MaxLen * sizeof (CHAR16));
   if (String == NULL) {
     return NULL;
   }
@@ -644,7 +646,8 @@ HiiConstructConfigHdr (
   //
   // Start with L"GUID="
   //
-  ReturnString = StrCpy (String, L"GUID=");
+  StrCpyS (String, MaxLen, L"GUID=");
+  ReturnString = String;
   String += StrLen (String);
 
   if (Guid != NULL) {
@@ -659,7 +662,7 @@ HiiConstructConfigHdr (
   //
   // Append L"&NAME="
   //
-  StrCpy (String, L"&NAME=");
+  StrCpyS (String, MaxLen, L"&NAME=");
   String += StrLen (String);
 
   if (Name != NULL) {
@@ -674,7 +677,7 @@ HiiConstructConfigHdr (
   //
   // Append L"&PATH="
   //
-  StrCpy (String, L"&PATH=");
+  StrCpyS (String, MaxLen, L"&PATH=");
   String += StrLen (String);
 
   //
@@ -786,7 +789,7 @@ InternalHiiGetBufferFromString (
     StringPtr = (CHAR16 *) DataBuffer;
     ZeroMem (TemStr, sizeof (TemStr));
     for (Index = 0; Index < Length; Index += 4) {
-      StrnCpy (TemStr, ConfigHdr + Index, 4);
+      StrnCpyS (TemStr, sizeof (TemStr) / sizeof (CHAR16), ConfigHdr + Index, 4);
       StringPtr[Index/4] = (CHAR16) StrHexToUint64 (TemStr);
     }
     //
@@ -2011,6 +2014,7 @@ InternalHiiIfrValueAction (
 
   EFI_HII_PACKAGE_LIST_HEADER  *HiiPackageList;
   UINTN                        PackageListLength;
+  UINTN                        MaxLen;
   EFI_DEVICE_PATH_PROTOCOL     *DevicePath;
   EFI_DEVICE_PATH_PROTOCOL     *TempDevicePath;
 
@@ -2266,14 +2270,15 @@ NextConfigAltResp:
     // Construct ConfigAltHdr string  "&<ConfigHdr>&ALTCFG=\0" 
     //                               | 1 | StrLen (ConfigHdr) | 8 | 1 |
     //
-    ConfigAltHdr = AllocateZeroPool ((1 + StringPtr - StringHdr + 8 + 1) * sizeof (CHAR16));
+    MaxLen = 1 + StringPtr - StringHdr + 8 + 1;
+    ConfigAltHdr = AllocateZeroPool ( MaxLen * sizeof (CHAR16));
     if (ConfigAltHdr == NULL) {
       Status = EFI_OUT_OF_RESOURCES;
       goto Done;
     }
-    StrCpy (ConfigAltHdr, L"&");
-    StrnCat (ConfigAltHdr, StringHdr, StringPtr - StringHdr);
-    StrCat (ConfigAltHdr, L"&ALTCFG=");
+    StrCpyS (ConfigAltHdr, MaxLen, L"&");
+    StrnCatS (ConfigAltHdr, MaxLen, StringHdr, StringPtr - StringHdr);
+    StrCatS (ConfigAltHdr, MaxLen, L"&ALTCFG=");
     
     //
     // Skip all AltResp (AltConfigHdr ConfigBody) for the same ConfigHdr
diff --git a/MdeModulePkg/Universal/DisplayEngineDxe/FormDisplay.c b/MdeModulePkg/Universal/DisplayEngineDxe/FormDisplay.c
index 9f50f832aa..ae3038b6cb 100644
--- a/MdeModulePkg/Universal/DisplayEngineDxe/FormDisplay.c
+++ b/MdeModulePkg/Universal/DisplayEngineDxe/FormDisplay.c
@@ -2149,6 +2149,7 @@ FxConfirmPopup (
   UINT32                          CheckFlags;
   BOOLEAN                         RetVal;
   UINTN                           CatLen;
+  UINTN                           MaxLen;
 
   CfmStrLen = 0;
   CatLen    = StrLen (gConfirmMsgConnect);
@@ -2209,50 +2210,51 @@ FxConfirmPopup (
   // Allocate buffer to save the string.
   // String + "?" + "\0"
   //
-  CfmStr = AllocateZeroPool ((CfmStrLen + 1 + 1) * sizeof (CHAR16));
+  MaxLen = CfmStrLen + 1 + 1;
+  CfmStr = AllocateZeroPool (MaxLen * sizeof (CHAR16));
   ASSERT (CfmStr != NULL);
 
   if ((Action & BROWSER_ACTION_DISCARD) == BROWSER_ACTION_DISCARD) {
-    StrCpy (CfmStr, gConfirmDiscardMsg);
+    StrCpyS (CfmStr, MaxLen, gConfirmDiscardMsg);
   }
 
   if ((Action & BROWSER_ACTION_DEFAULT) == BROWSER_ACTION_DEFAULT) {
     if (CfmStr[0] != 0) {
-      StrCat (CfmStr, gConfirmMsgConnect);
-      StrCat (CfmStr, gConfirmDefaultMsg2nd);
+      StrCatS (CfmStr, MaxLen, gConfirmMsgConnect);
+      StrCatS (CfmStr, MaxLen, gConfirmDefaultMsg2nd);
     } else {
-      StrCpy (CfmStr, gConfirmDefaultMsg);
+      StrCpyS (CfmStr, MaxLen, gConfirmDefaultMsg);
     }
   }
 
   if ((Action & BROWSER_ACTION_SUBMIT)  == BROWSER_ACTION_SUBMIT) {
     if (CfmStr[0] != 0) {
-      StrCat (CfmStr, gConfirmMsgConnect);
-      StrCat (CfmStr, gConfirmSubmitMsg2nd);
+      StrCatS (CfmStr, MaxLen, gConfirmMsgConnect);
+      StrCatS (CfmStr, MaxLen, gConfirmSubmitMsg2nd);
     } else {
-      StrCpy (CfmStr, gConfirmSubmitMsg);
+      StrCpyS (CfmStr, MaxLen, gConfirmSubmitMsg);
     }
   }
 
   if ((Action & BROWSER_ACTION_RESET)  == BROWSER_ACTION_RESET) {
     if (CfmStr[0] != 0) {
-      StrCat (CfmStr, gConfirmMsgConnect);
-      StrCat (CfmStr, gConfirmResetMsg2nd);
+      StrCatS (CfmStr, MaxLen, gConfirmMsgConnect);
+      StrCatS (CfmStr, MaxLen, gConfirmResetMsg2nd);
     } else {
-      StrCpy (CfmStr, gConfirmResetMsg);
+      StrCpyS (CfmStr, MaxLen, gConfirmResetMsg);
     }
   }
 
   if ((Action & BROWSER_ACTION_EXIT)  == BROWSER_ACTION_EXIT) {
     if (CfmStr[0] != 0) {
-      StrCat (CfmStr, gConfirmMsgConnect);
-      StrCat (CfmStr, gConfirmExitMsg2nd);
+      StrCatS (CfmStr, MaxLen, gConfirmMsgConnect);
+      StrCatS (CfmStr, MaxLen, gConfirmExitMsg2nd);
     } else {
-      StrCpy (CfmStr, gConfirmExitMsg);
+      StrCpyS (CfmStr, MaxLen, gConfirmExitMsg);
     }
   }
 
-  StrCat (CfmStr, gConfirmMsgEnd);
+  StrCatS (CfmStr, MaxLen, gConfirmMsgEnd);
 
   do {
     CreateDialog (&Key, gEmptyString, CfmStr, gConfirmOpt, gEmptyString, NULL);
diff --git a/MdeModulePkg/Universal/DisplayEngineDxe/InputHandler.c b/MdeModulePkg/Universal/DisplayEngineDxe/InputHandler.c
index a0b87ff7be..bbbbdaa8c1 100644
--- a/MdeModulePkg/Universal/DisplayEngineDxe/InputHandler.c
+++ b/MdeModulePkg/Universal/DisplayEngineDxe/InputHandler.c
@@ -1,7 +1,7 @@
 /** @file
 Implementation for handling user input from the User Interfaces.
 
-Copyright (c) 2004 - 2012, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2004 - 2015, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -84,6 +84,7 @@ ReadString (
   UINTN                   Maximum;
   FORM_DISPLAY_ENGINE_STATEMENT  *Question;
   BOOLEAN                 IsPassword;
+  UINTN                   MaxLen;
 
   DimensionsWidth  = gStatementDimensions.RightColumn - gStatementDimensions.LeftColumn;
   DimensionsHeight = gStatementDimensions.BottomRow - gStatementDimensions.TopRow;
@@ -102,7 +103,8 @@ ReadString (
     IsPassword = FALSE;
   }
 
-  TempString = AllocateZeroPool ((Maximum + 1)* sizeof (CHAR16));
+  MaxLen = Maximum + 1;
+  TempString = AllocateZeroPool (MaxLen * sizeof (CHAR16));
   ASSERT (TempString);
 
   if (ScreenSize < (Maximum + 1)) {
@@ -244,7 +246,7 @@ ReadString (
         //
         // Effectively truncate string by 1 character
         //
-        StrCpy (StringPtr, TempString);
+        StrCpyS (StringPtr, MaxLen, TempString);
         CurrentCursor --;
       }
 
@@ -253,7 +255,7 @@ ReadString (
       // If it is the beginning of the string, don't worry about checking maximum limits
       //
       if ((StringPtr[0] == CHAR_NULL) && (Key.UnicodeChar != CHAR_BACKSPACE)) {
-        StrnCpy (StringPtr, &Key.UnicodeChar, 1);
+        StrnCpyS (StringPtr, MaxLen, &Key.UnicodeChar, 1);
         CurrentCursor++;
       } else if ((GetStringWidth (StringPtr) < ((Maximum + 1) * sizeof (CHAR16))) && (Key.UnicodeChar != CHAR_BACKSPACE)) {
         KeyPad[0] = Key.UnicodeChar;
@@ -264,11 +266,11 @@ ReadString (
             TempString[Index] = StringPtr[Index];
           }
 		  TempString[Index] = CHAR_NULL;
-          StrCat (TempString, KeyPad);
-          StrCat (TempString, StringPtr + CurrentCursor);
-          StrCpy (StringPtr, TempString);
+          StrCatS (TempString, MaxLen, KeyPad);
+          StrCatS (TempString, MaxLen, StringPtr + CurrentCursor);
+          StrCpyS (StringPtr, MaxLen, TempString);
         } else {
-          StrCat (StringPtr, KeyPad);
+          StrCatS (StringPtr, MaxLen, KeyPad);
         }
         CurrentCursor++;
       }
@@ -1447,7 +1449,7 @@ GetSelectionInputPopUp (
         CopyMem (TempStringPtr, StringPtr, (sizeof (CHAR16) * (PopUpWidth - 5)));
         FreePool (StringPtr);
         StringPtr = TempStringPtr;
-        StrCat (StringPtr, L"...");
+        StrCatS (StringPtr, PopUpWidth - 1, L"...");
       }
 
       if (Index == HighlightOptionIndex) {
diff --git a/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c b/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
index 52dc5f29d9..f55fb2e263 100644
--- a/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
+++ b/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
@@ -28,6 +28,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 VOID
 NewStrCat (
   IN OUT CHAR16               *Destination,
+  IN     UINTN                DestMax,
   IN     CHAR16               *Source
   )
 {
@@ -45,7 +46,7 @@ NewStrCat (
   Destination[Length] = NARROW_CHAR;
   Length++;
 
-  StrCpy (Destination + Length, Source);
+  StrCpyS (Destination + Length, DestMax - Length, Source);
 }
 
 /**
@@ -957,6 +958,7 @@ ProcessOptions (
   UINT8                           ValueType;
   EFI_IFR_ORDERED_LIST            *OrderList;
   BOOLEAN                         ValueInvalid;
+  UINTN                           MaxLen;
 
   Status        = EFI_SUCCESS;
 
@@ -999,7 +1001,8 @@ ProcessOptions (
       // We now know how many strings we will have, so we can allocate the
       // space required for the array or strings.
       //
-      *OptionString = AllocateZeroPool (OrderList->MaxContainers * BufferSize);
+      MaxLen = OrderList->MaxContainers * BufferSize / sizeof (CHAR16);
+      *OptionString = AllocateZeroPool (MaxLen * sizeof (CHAR16));
       ASSERT (*OptionString);
 
       HiiValue.Type = ValueType;
@@ -1057,14 +1060,14 @@ ProcessOptions (
         }
 
         Character[0] = LEFT_ONEOF_DELIMITER;
-        NewStrCat (OptionString[0], Character);
+        NewStrCat (OptionString[0], MaxLen, Character);
         StringPtr = GetToken (OneOfOption->OptionOpCode->Option, gFormData->HiiHandle);
         ASSERT (StringPtr != NULL);
-        NewStrCat (OptionString[0], StringPtr);
+        NewStrCat (OptionString[0], MaxLen, StringPtr);
         Character[0] = RIGHT_ONEOF_DELIMITER;
-        NewStrCat (OptionString[0], Character);
+        NewStrCat (OptionString[0], MaxLen, Character);
         Character[0] = CHAR_CARRIAGE_RETURN;
-        NewStrCat (OptionString[0], Character);
+        NewStrCat (OptionString[0], MaxLen, Character);
         FreePool (StringPtr);
       }
 
@@ -1092,14 +1095,14 @@ ProcessOptions (
           // Not report error, just get the correct option string info.
           //
           Character[0] = LEFT_ONEOF_DELIMITER;
-          NewStrCat (OptionString[0], Character);
+          NewStrCat (OptionString[0], MaxLen, Character);
           StringPtr = GetToken (OneOfOption->OptionOpCode->Option, gFormData->HiiHandle);
           ASSERT (StringPtr != NULL);
-          NewStrCat (OptionString[0], StringPtr);
+          NewStrCat (OptionString[0], MaxLen, StringPtr);
           Character[0] = RIGHT_ONEOF_DELIMITER;
-          NewStrCat (OptionString[0], Character);
+          NewStrCat (OptionString[0], MaxLen, Character);
           Character[0] = CHAR_CARRIAGE_RETURN;
-          NewStrCat (OptionString[0], Character);
+          NewStrCat (OptionString[0], MaxLen, Character);
           FreePool (StringPtr);
 
           continue;
@@ -1151,6 +1154,7 @@ ProcessOptions (
       //
       Status = GetSelectionInputPopUp (MenuOption);
     } else {
+      MaxLen = BufferSize / sizeof(CHAR16);
       *OptionString = AllocateZeroPool (BufferSize);
       ASSERT (*OptionString);
 
@@ -1204,12 +1208,12 @@ ProcessOptions (
       }
 
       Character[0] = LEFT_ONEOF_DELIMITER;
-      NewStrCat (OptionString[0], Character);
+      NewStrCat (OptionString[0], MaxLen, Character);
       StringPtr = GetToken (OneOfOption->OptionOpCode->Option, gFormData->HiiHandle);
       ASSERT (StringPtr != NULL);
-      NewStrCat (OptionString[0], StringPtr);
+      NewStrCat (OptionString[0], MaxLen, StringPtr);
       Character[0] = RIGHT_ONEOF_DELIMITER;
-      NewStrCat (OptionString[0], Character);
+      NewStrCat (OptionString[0], MaxLen, Character);
 
       FreePool (StringPtr);
     }
diff --git a/MdeModulePkg/Universal/DriverSampleDxe/DriverSample.c b/MdeModulePkg/Universal/DriverSampleDxe/DriverSample.c
index 22b6b265ee..a21f58a77d 100644
--- a/MdeModulePkg/Universal/DriverSampleDxe/DriverSample.c
+++ b/MdeModulePkg/Universal/DriverSampleDxe/DriverSample.c
@@ -330,7 +330,7 @@ ValidatePassword (
   //
   EncodedPassword = AllocateZeroPool (PasswordMaxSize);
   ASSERT (EncodedPassword != NULL);
-  StrnCpy (EncodedPassword, Password, StrLen (Password));
+  StrnCpyS (EncodedPassword, PasswordMaxSize / sizeof (CHAR16), Password, StrLen (Password));
   EncodePassword (EncodedPassword, StrLen (EncodedPassword) * sizeof (CHAR16));
   if (CompareMem (EncodedPassword, PrivateData->Configuration.WhatIsThePassword2, PasswordMaxSize) != 0) {
     //
@@ -400,7 +400,7 @@ SetPassword (
     FreePool (TempPassword);
     return EFI_NOT_READY;
   }
-  StrnCpy (Password, TempPassword, StrLen (TempPassword));
+  StrnCpyS (Password, PasswordSize / sizeof (CHAR16), TempPassword, StrLen (TempPassword));
   FreePool (TempPassword);
 
   //
@@ -601,7 +601,7 @@ CreateAltCfgString (
 
   TmpStr = StringPtr;
   if (Result != NULL) {
-    StrCpy (StringPtr, Result);
+    StrCpyS (StringPtr, NewLen / sizeof (CHAR16), Result);
     StringPtr += StrLen (Result);  
     FreePool (Result);
   }
@@ -908,7 +908,7 @@ ExtractConfig (
       1 + sizeof (PrivateData->Configuration.NameValueVar2) * 2 + 1) * sizeof (CHAR16);
     *Results = AllocateZeroPool (BufferSize);
     ASSERT (*Results != NULL);
-    StrCpy (*Results, ConfigRequest);
+    StrCpyS (*Results, BufferSize / sizeof (CHAR16), ConfigRequest);
     Value = *Results;
 
     //
@@ -1184,7 +1184,7 @@ RouteConfig (
       StrBuffer = (CHAR16 *) PrivateData->Configuration.NameValueVar2;
       ZeroMem (TemStr, sizeof (TemStr));
       while (Value < StrPtr) {
-        StrnCpy (TemStr, Value, 4);
+        StrnCpyS (TemStr, sizeof (TemStr) / sizeof (CHAR16), Value, 4);
         *(StrBuffer++) = (CHAR16) StrHexToUint64 (TemStr);
         Value += 4;
       }
diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/ConfigKeywordHandler.c b/MdeModulePkg/Universal/HiiDatabaseDxe/ConfigKeywordHandler.c
index 2f04411683..529e90f8a8 100644
--- a/MdeModulePkg/Universal/HiiDatabaseDxe/ConfigKeywordHandler.c
+++ b/MdeModulePkg/Universal/HiiDatabaseDxe/ConfigKeywordHandler.c
@@ -1670,6 +1670,7 @@ ConstructConfigHdr (
   CHAR16                    *Name;
   CHAR8                     *AsciiName;
   EFI_GUID                  *Guid;
+  UINTN                     MaxLen;
 
   ASSERT (OpCodeData != NULL);
 
@@ -1733,7 +1734,8 @@ ConstructConfigHdr (
   // GUID=<HexCh>32&NAME=<Char>NameLength&PATH=<HexChar>DevicePathSize <Null>
   // | 5 | sizeof (EFI_GUID) * 2 | 6 | NameStrLen*4 | 6 | DevicePathSize * 2 | 1 |
   //
-  String = AllocateZeroPool ((5 + sizeof (EFI_GUID) * 2 + 6 + NameLength * 4 + 6 + DevicePathSize * 2 + 1) * sizeof (CHAR16));
+  MaxLen = 5 + sizeof (EFI_GUID) * 2 + 6 + NameLength * 4 + 6 + DevicePathSize * 2 + 1;
+  String = AllocateZeroPool (MaxLen * sizeof (CHAR16));
   if (String == NULL) {
     return NULL;
   }
@@ -1741,7 +1743,8 @@ ConstructConfigHdr (
   //
   // Start with L"GUID="
   //
-  ReturnString = StrCpy (String, L"GUID=");
+  StrCpyS (String, MaxLen, L"GUID=");
+  ReturnString = String;
   String += StrLen (String);
 
   if (Guid != NULL) {
@@ -1756,7 +1759,7 @@ ConstructConfigHdr (
   //
   // Append L"&NAME="
   //
-  StrCpy (String, L"&NAME=");
+  StrCpyS (String, MaxLen, L"&NAME=");
   String += StrLen (String);
 
   if (Name != NULL) {
@@ -1771,7 +1774,7 @@ ConstructConfigHdr (
   //
   // Append L"&PATH="
   //
-  StrCpy (String, L"&PATH=");
+  StrCpyS (String, MaxLen, L"&PATH=");
   String += StrLen (String);
 
   //
@@ -1991,7 +1994,7 @@ ExtractConfigRequest (
   UINT16                              Width;
   CHAR16                              *ConfigHdr;
   CHAR16                              *RequestElement;
-  UINTN                               Length;
+  UINTN                               MaxLen;
   CHAR16                              *StringPtr;
 
   ASSERT (DatabaseRecord != NULL && OpCodeData != NULL && ConfigRequest != NULL);
@@ -2032,8 +2035,8 @@ ExtractConfigRequest (
       ConfigHdr = ConstructConfigHdr(Storage, DatabaseRecord->DriverHandle);
       ASSERT (ConfigHdr != NULL);
 
-      Length = (StrLen (ConfigHdr) + 1 + StrLen(RequestElement) + 1) * sizeof (CHAR16);
-      *ConfigRequest = AllocatePool (Length);
+      MaxLen = StrLen (ConfigHdr) + 1 + StrLen(RequestElement) + 1;
+      *ConfigRequest = AllocatePool (MaxLen * sizeof (CHAR16));
       if (*ConfigRequest == NULL) {
         FreePool (ConfigHdr);
         FreePool (RequestElement);
@@ -2041,13 +2044,13 @@ ExtractConfigRequest (
       }
       StringPtr = *ConfigRequest;
 
-      StrCpy (StringPtr, ConfigHdr);
+      StrCpyS (StringPtr, MaxLen, ConfigHdr);
       StringPtr += StrLen (StringPtr);
 
       *StringPtr = L'&';
       StringPtr++;
 
-      StrCpy (StringPtr, RequestElement);
+      StrCpyS (StringPtr, MaxLen, RequestElement);
       StringPtr += StrLen (StringPtr);
       *StringPtr = L'\0';
 
@@ -2098,7 +2101,7 @@ ExtractConfigResp (
   UINT16                              Width;
   CHAR16                              *ConfigHdr;
   CHAR16                              *RequestElement;
-  UINTN                               Length;
+  UINTN                               MaxLen;
   CHAR16                              *StringPtr;
 
   ASSERT ((DatabaseRecord != NULL) && (OpCodeData != NULL) && (ConfigResp != NULL) && (ValueElement != NULL));
@@ -2140,8 +2143,8 @@ ExtractConfigResp (
       ConfigHdr = ConstructConfigHdr(Storage, DatabaseRecord->DriverHandle);
       ASSERT (ConfigHdr != NULL);
 
-      Length = (StrLen (ConfigHdr) + 1 + StrLen(RequestElement) + 1 + StrLen (L"VALUE=") + StrLen(ValueElement) + 1) * sizeof (CHAR16);
-      *ConfigResp = AllocatePool (Length);
+      MaxLen = StrLen (ConfigHdr) + 1 + StrLen(RequestElement) + 1 + StrLen (L"VALUE=") + StrLen(ValueElement) + 1;
+      *ConfigResp = AllocatePool (MaxLen * sizeof (CHAR16));
       if (*ConfigResp == NULL) {
         FreePool (ConfigHdr);
         FreePool (RequestElement);
@@ -2149,22 +2152,22 @@ ExtractConfigResp (
       }
       StringPtr = *ConfigResp;
 
-      StrCpy (StringPtr, ConfigHdr);
+      StrCpyS (StringPtr, MaxLen, ConfigHdr);
       StringPtr += StrLen (StringPtr);
 
       *StringPtr = L'&';
       StringPtr++;
 
-      StrCpy (StringPtr, RequestElement);
+      StrCpyS (StringPtr, MaxLen, RequestElement);
       StringPtr += StrLen (StringPtr);
       
       *StringPtr = L'&';
       StringPtr++;
 
-      StrCpy (StringPtr, L"VALUE=");
+      StrCpyS (StringPtr, MaxLen, L"VALUE=");
       StringPtr += StrLen (StringPtr);
 
-      StrCpy (StringPtr, ValueElement);
+      StrCpyS (StringPtr, MaxLen, ValueElement);
       StringPtr += StrLen (StringPtr);
       *StringPtr = L'\0';
 
@@ -2433,9 +2436,10 @@ GenerateKeywordResp (
   }
 
   //
-  // 2. Allocate the buffer and create the KeywordResp string.
+  // 2. Allocate the buffer and create the KeywordResp string include '\0'.
   //
-  *KeywordResp = AllocatePool ((RespStrLen + 1) * sizeof (CHAR16));
+  RespStrLen += 1;
+  *KeywordResp = AllocatePool (RespStrLen * sizeof (CHAR16));
   if (*KeywordResp == NULL) {
     if (UnicodeNameSpace != NULL) {
       FreePool (UnicodeNameSpace);
@@ -2448,36 +2452,36 @@ GenerateKeywordResp (
   //
   // 2.1 Copy NameSpaceId section.
   //
-  StrCpy (RespStr, L"NAMESPACE=");
+  StrCpyS (RespStr, RespStrLen, L"NAMESPACE=");
   RespStr += StrLen (RespStr);
-  StrCpy (RespStr, UnicodeNameSpace);
+  StrCpyS (RespStr, RespStrLen, UnicodeNameSpace);
   RespStr += StrLen (RespStr);
 
   //
   // 2.2 Copy PathHdr section.
   //
-  StrCpy (RespStr, PathHdr);
+  StrCpyS (RespStr, RespStrLen, PathHdr);
   RespStr += StrLen (RespStr);
 
   //
   // 2.3 Copy Keyword section.
   //
-  StrCpy (RespStr, L"KEYWORD=");
+  StrCpyS (RespStr, RespStrLen, L"KEYWORD=");
   RespStr += StrLen (RespStr);
-  StrCpy (RespStr, KeywordData);
+  StrCpyS (RespStr, RespStrLen, KeywordData);
   RespStr += StrLen (RespStr);
 
   //
   // 2.4 Copy the Value section.
   //
-  StrCpy (RespStr, ValueStr);
+  StrCpyS (RespStr, RespStrLen, ValueStr);
   RespStr += StrLen (RespStr);
 
   //
   // 2.5 Copy ReadOnly section if exist.
   //
   if (ReadOnly) {
-    StrCpy (RespStr, L"&READONLY");
+    StrCpyS (RespStr, RespStrLen, L"&READONLY");
     RespStr += StrLen (RespStr);
   }
 
@@ -2538,7 +2542,7 @@ MergeToMultiKeywordResp (
   *StringPtr = L'&';
   StringPtr++;
 
-  StrCpy (StringPtr, *KeywordResp);
+  StrCpyS (StringPtr, MultiKeywordRespLen / sizeof (CHAR16), *KeywordResp);
 
   return EFI_SUCCESS;
 }
diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/ConfigRouting.c b/MdeModulePkg/Universal/HiiDatabaseDxe/ConfigRouting.c
index 4caf361bd2..56868831a1 100644
--- a/MdeModulePkg/Universal/HiiDatabaseDxe/ConfigRouting.c
+++ b/MdeModulePkg/Universal/HiiDatabaseDxe/ConfigRouting.c
@@ -1,7 +1,7 @@
 /** @file
 Implementation of interfaces function for EFI_HII_CONFIG_ROUTING_PROTOCOL.
 
-Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2007 - 2015, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -252,8 +252,7 @@ GenerateSubStr (
   Str    = AllocateZeroPool (Length * sizeof (CHAR16));
   ASSERT (Str != NULL);
 
-  StrCpy (Str, String);
-  Length = (BufferLen * 2 + 1) * sizeof (CHAR16);
+  StrCpyS (Str, Length, String);
 
   StringHeader = Str + StrLen (String);
   TemString    = (CHAR16 *) StringHeader;
@@ -297,7 +296,7 @@ GenerateSubStr (
   //
   // Convert the uppercase to lowercase since <HexAf> is defined in lowercase format.
   //
-  StrCat (Str, L"&");  
+  StrCatS (Str, Length, L"&");  
   HiiToLower (Str);
 
   *SubStr = Str;
@@ -392,6 +391,7 @@ AppendToMultiString (
 {
   UINTN AppendStringSize;
   UINTN MultiStringSize;
+  UINTN MaxLen;
 
   if (MultiString == NULL || *MultiString == NULL || AppendString == NULL) {
     return EFI_INVALID_PARAMETER;
@@ -399,6 +399,7 @@ AppendToMultiString (
 
   AppendStringSize = StrSize (AppendString);
   MultiStringSize  = StrSize (*MultiString);
+  MaxLen = MAX_STRING_LENGTH / sizeof (CHAR16);
 
   //
   // Enlarge the buffer each time when length exceeds MAX_STRING_LENGTH.
@@ -410,12 +411,13 @@ AppendToMultiString (
                                   MultiStringSize + AppendStringSize,
                                   (VOID *) (*MultiString)
                                   );
+    MaxLen = (MultiStringSize + AppendStringSize) / sizeof (CHAR16);
     ASSERT (*MultiString != NULL);
   }
   //
   // Append the incoming string
   //
-  StrCat (*MultiString, AppendString);
+  StrCatS (*MultiString, MaxLen, AppendString);
 
   return EFI_SUCCESS;
 }
@@ -536,6 +538,8 @@ MergeDefaultString (
   EFI_STRING   AltConfigHdr;
   UINTN        HeaderLength;
   UINTN        SizeAltCfgResp;
+  UINTN        MaxLen;
+  UINTN        TotalSize;
   
   if (*AltCfgResp == NULL) {
     return EFI_INVALID_PARAMETER;
@@ -572,13 +576,14 @@ MergeDefaultString (
   // Construct AltConfigHdr string  "&<ConfigHdr>&ALTCFG=XXXX\0"
   //                                  |1| StrLen (ConfigHdr) | 8 | 4 | 1 |
   //
-  AltConfigHdr = AllocateZeroPool ((1 + HeaderLength + 8 + 4 + 1) * sizeof (CHAR16));
+  MaxLen = 1 + HeaderLength + 8 + 4 + 1;
+  AltConfigHdr = AllocateZeroPool (MaxLen * sizeof (CHAR16));
   if (AltConfigHdr == NULL) {
     return EFI_OUT_OF_RESOURCES;
   }
-  StrCpy (AltConfigHdr, L"&");
-  StrnCat (AltConfigHdr, *AltCfgResp, HeaderLength);
-  StrCat (AltConfigHdr, L"&ALTCFG=");
+  StrCpyS (AltConfigHdr, MaxLen, L"&");
+  StrnCatS (AltConfigHdr, MaxLen, *AltCfgResp, HeaderLength);
+  StrCatS (AltConfigHdr, MaxLen, L"&ALTCFG=");
   HeaderLength = StrLen (AltConfigHdr);
   
   StringPtrDefault = StrStr (DefaultAltCfgResp, AltConfigHdr);
@@ -586,7 +591,7 @@ MergeDefaultString (
     //
     // Get AltCfg Name
     //
-    StrnCat (AltConfigHdr, StringPtrDefault + HeaderLength, 4);
+    StrnCatS (AltConfigHdr, MaxLen, StringPtrDefault + HeaderLength, 4);
     StringPtr = StrStr (*AltCfgResp, AltConfigHdr); 
     
     //
@@ -595,34 +600,35 @@ MergeDefaultString (
     if (StringPtr == NULL) {
       StringPtrEnd   = StrStr (StringPtrDefault + 1, L"&GUID");
       SizeAltCfgResp = StrSize (*AltCfgResp);
+      TotalSize = SizeAltCfgResp + StrSize (StringPtrDefault);
       if (StringPtrEnd == NULL) {
         //
         // No more default string is found.
         //
         *AltCfgResp    = (EFI_STRING) ReallocatePool (
                                      SizeAltCfgResp,
-                                     SizeAltCfgResp + StrSize (StringPtrDefault),
+                                     TotalSize,
                                      (VOID *) (*AltCfgResp)
                                      );
         if (*AltCfgResp == NULL) {
           FreePool (AltConfigHdr);
           return EFI_OUT_OF_RESOURCES;
         }
-        StrCat (*AltCfgResp, StringPtrDefault);
+        StrCatS (*AltCfgResp, TotalSize / sizeof (CHAR16), StringPtrDefault);
         break;
       } else {
         TempChar = *StringPtrEnd;
         *StringPtrEnd = L'\0';
         *AltCfgResp = (EFI_STRING) ReallocatePool (
                                      SizeAltCfgResp,
-                                     SizeAltCfgResp + StrSize (StringPtrDefault),
+                                     TotalSize,
                                      (VOID *) (*AltCfgResp)
                                      );
         if (*AltCfgResp == NULL) {
           FreePool (AltConfigHdr);
           return EFI_OUT_OF_RESOURCES;
         }
-        StrCat (*AltCfgResp, StringPtrDefault);
+        StrCatS (*AltCfgResp, TotalSize / sizeof (CHAR16), StringPtrDefault);
         *StringPtrEnd = TempChar;
       }
     }
@@ -1188,8 +1194,8 @@ GetVarStoreType (
         Status = EFI_OUT_OF_RESOURCES;
         goto Done;
       }
-      StrCpy (TempStr, GuidStr);
-      StrCat (TempStr, NameStr);
+      StrCpyS (TempStr, LengthString, GuidStr);
+      StrCatS (TempStr, LengthString, NameStr);
       if (ConfigHdr == NULL || StrnCmp (ConfigHdr, TempStr, StrLen (TempStr)) == 0) {
         *EfiVarStore = (EFI_IFR_VARSTORE_EFI *) AllocateZeroPool (IfrOpHdr->Length);
         if (*EfiVarStore == NULL) {
@@ -1304,8 +1310,8 @@ IsThisVarstore (
     goto Done;
   }
 
-  StrCpy (TempStr, GuidStr);
-  StrCat (TempStr, NameStr);
+  StrCpyS (TempStr, LengthString, GuidStr);
+  StrCatS (TempStr, LengthString, NameStr);
 
   if (ConfigHdr == NULL || StrnCmp (ConfigHdr, TempStr, StrLen (TempStr)) == 0) {
     RetVal = TRUE;
@@ -2666,7 +2672,7 @@ GenerateConfigRequest (
   //
   // Start with <ConfigHdr>
   //
-  StrCpy (StringPtr, ConfigHdr);
+  StrCpyS (StringPtr, Length, ConfigHdr);
   StringPtr += StrLen (StringPtr);
 
   //
@@ -2765,12 +2771,12 @@ GenerateHdr (
     Status = EFI_OUT_OF_RESOURCES;
     goto Done;
   }
-  StrCpy (*ConfigHdr, GuidStr);
-  StrCat (*ConfigHdr, NameStr);
+  StrCpyS (*ConfigHdr, Length, GuidStr);
+  StrCatS (*ConfigHdr, Length, NameStr);
   if (VarStorageData->Name == NULL) {
-    StrCat (*ConfigHdr, L"&");
+    StrCatS (*ConfigHdr, Length, L"&");
   }
-  StrCat (*ConfigHdr, PathStr);
+  StrCatS (*ConfigHdr, Length, PathStr);
 
   //
   // Remove the last character L'&'
@@ -2934,7 +2940,7 @@ GenerateAltConfigResp (
   //
   // Start with <ConfigHdr>
   //
-  StrCpy (StringPtr, ConfigHdr);
+  StrCpyS (StringPtr, Length, ConfigHdr);
   StringPtr += StrLen (StringPtr);
 
   for (Link = DefaultIdArray->Entry.ForwardLink; Link != &DefaultIdArray->Entry; Link = Link->ForwardLink) {
@@ -4612,8 +4618,8 @@ HiiBlockToConfig (
       *(ConfigElement + (StringPtr - TmpPtr)) = L'&';
     }
     *(ConfigElement + (StringPtr - TmpPtr) + 1) = 0;
-    StrCat (ConfigElement, L"VALUE=");
-    StrCat (ConfigElement, ValueStr);
+    StrCatS (ConfigElement, Length, L"VALUE=");
+    StrCatS (ConfigElement, Length, ValueStr);
 
     AppendToMultiString (Config, ConfigElement);
 
@@ -5130,8 +5136,8 @@ Exit:
     if (*AltCfgResp == NULL) {
       Status = EFI_OUT_OF_RESOURCES;
     } else {
-      StrnCpy (*AltCfgResp, HdrStart, HdrEnd - HdrStart);
-      StrCat (*AltCfgResp, Result);
+      StrnCpyS (*AltCfgResp, Length, HdrStart, HdrEnd - HdrStart);
+      StrCatS (*AltCfgResp, Length, Result);
       Status = EFI_SUCCESS;
     }
   }
diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c b/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c
index 70c0385d88..7ea2e723a5 100644
--- a/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c
+++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c
@@ -1,7 +1,7 @@
 /** @file
 Implementation for EFI_HII_DATABASE_PROTOCOL.
 
-Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2007 - 2015, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -798,7 +798,7 @@ InsertStringPackage (
   if (Language == NULL) {
     return EFI_OUT_OF_RESOURCES;
   }
-  AsciiStrCpy (Language, (CHAR8 *) PackageHdr + HeaderSize - LanguageSize);
+  AsciiStrCpyS (Language, LanguageSize / sizeof (CHAR8), (CHAR8 *) PackageHdr + HeaderSize - LanguageSize);
   for (Link = PackageList->StringPkgHdr.ForwardLink; Link != &PackageList->StringPkgHdr; Link = Link->ForwardLink) {
     StringPackage = CR (Link, HII_STRING_PACKAGE_INSTANCE, StringEntry, HII_STRING_PACKAGE_SIGNATURE);
     if (HiiCompareLanguage (Language, StringPackage->StringPkgHdr->Language)) {
@@ -1182,7 +1182,7 @@ InsertFontPackage (
   }
   FontInfo->FontStyle = FontPkgHdr->FontStyle;
   FontInfo->FontSize  = FontPkgHdr->Cell.Height;
-  StrCpy (FontInfo->FontName, FontPkgHdr->FontFamily);
+  StrCpyS (FontInfo->FontName, sizeof (FontInfo->FontName) / sizeof (CHAR16), FontPkgHdr->FontFamily);
 
   if (IsFontInfoExisted (Private, FontInfo, NULL, NULL, NULL)) {
     Status = EFI_UNSUPPORTED;
diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Font.c b/MdeModulePkg/Universal/HiiDatabaseDxe/Font.c
index 61e50c4e9c..4b70b995f5 100644
--- a/MdeModulePkg/Universal/HiiDatabaseDxe/Font.c
+++ b/MdeModulePkg/Universal/HiiDatabaseDxe/Font.c
@@ -2,7 +2,7 @@
 Implementation for EFI_HII_FONT_PROTOCOL.
 
 
-Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2007 - 2015, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -933,16 +933,18 @@ SaveFontName (
   )
 {
   UINTN         FontInfoLen;
+  UINTN         NameSize;
 
   ASSERT (FontName != NULL && FontInfo != NULL);
 
-  FontInfoLen = sizeof (EFI_FONT_INFO) - sizeof (CHAR16) + StrSize (FontName);
+  NameSize = StrSize (FontName);
+  FontInfoLen = sizeof (EFI_FONT_INFO) - sizeof (CHAR16) + NameSize;
   *FontInfo = (EFI_FONT_INFO *) AllocateZeroPool (FontInfoLen);
   if (*FontInfo == NULL) {
     return EFI_OUT_OF_RESOURCES;
   }
 
-  StrCpy ((*FontInfo)->FontName, FontName);
+  StrCpyS ((*FontInfo)->FontName, NameSize / sizeof (CHAR16), FontName);
   return EFI_SUCCESS;
 }
 
@@ -971,6 +973,7 @@ GetSystemFont (
 {
   EFI_FONT_DISPLAY_INFO              *Info;
   UINTN                              InfoSize;
+  UINTN                              NameSize;
 
   if (Private == NULL || Private->Signature != HII_DATABASE_PRIVATE_DATA_SIGNATURE) {
     return EFI_INVALID_PARAMETER;
@@ -982,7 +985,8 @@ GetSystemFont (
   //
   // The standard font always has the name "sysdefault".
   //
-  InfoSize = sizeof (EFI_FONT_DISPLAY_INFO) - sizeof (CHAR16) + StrSize (L"sysdefault");
+  NameSize = StrSize (L"sysdefault");
+  InfoSize = sizeof (EFI_FONT_DISPLAY_INFO) - sizeof (CHAR16) + NameSize;
   Info = (EFI_FONT_DISPLAY_INFO *) AllocateZeroPool (InfoSize);
   if (Info == NULL) {
     return EFI_OUT_OF_RESOURCES;
@@ -993,7 +997,7 @@ GetSystemFont (
   Info->FontInfoMask       = EFI_FONT_INFO_SYS_FONT | EFI_FONT_INFO_SYS_SIZE | EFI_FONT_INFO_SYS_STYLE;
   Info->FontInfo.FontStyle = 0;
   Info->FontInfo.FontSize  = EFI_GLYPH_HEIGHT;
-  StrCpy (Info->FontInfo.FontName, L"sysdefault");
+  StrCpyS (Info->FontInfo.FontName, NameSize / sizeof (CHAR16), L"sysdefault");
 
   *FontInfo = Info;
   if (FontInfoSize != NULL) {
@@ -2310,6 +2314,7 @@ HiiStringIdToImage (
   EFI_STRING                          String;
   UINTN                               StringSize;
   UINTN                               FontLen;
+  UINTN                               NameSize;
   EFI_FONT_INFO                       *StringFontInfo;
   EFI_FONT_DISPLAY_INFO               *NewStringInfo;
   CHAR8                               TempSupportedLanguages;
@@ -2432,7 +2437,8 @@ HiiStringIdToImage (
   // StringFontInfo equals NULL means system default font attaches with the string block.
   //
   if (StringFontInfo != NULL && IsSystemFontInfo (Private, (EFI_FONT_DISPLAY_INFO *) StringInfo, NULL, NULL)) {
-    FontLen = sizeof (EFI_FONT_DISPLAY_INFO) - sizeof (CHAR16) + StrSize (StringFontInfo->FontName);
+    NameSize = StrSize (StringFontInfo->FontName);
+    FontLen = sizeof (EFI_FONT_DISPLAY_INFO) - sizeof (CHAR16) + NameSize;
     NewStringInfo = AllocateZeroPool (FontLen);
     if (NewStringInfo == NULL) {      
       Status = EFI_OUT_OF_RESOURCES;
@@ -2441,7 +2447,7 @@ HiiStringIdToImage (
     NewStringInfo->FontInfoMask       = EFI_FONT_INFO_SYS_FORE_COLOR | EFI_FONT_INFO_SYS_BACK_COLOR;
     NewStringInfo->FontInfo.FontStyle = StringFontInfo->FontStyle;
     NewStringInfo->FontInfo.FontSize  = StringFontInfo->FontSize;    
-    StrCpy (NewStringInfo->FontInfo.FontName, StringFontInfo->FontName);
+    StrCpyS (NewStringInfo->FontInfo.FontName, NameSize / sizeof (CHAR16), StringFontInfo->FontName);
   
     Status = HiiStringToImage (
                This, 
diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/String.c b/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
index 7698cc2780..a83248667d 100644
--- a/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
+++ b/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
@@ -1333,7 +1333,7 @@ HiiNewString (
     StringPackage->StringPkgHdr->StringInfoOffset = HeaderSize;
     CopyMem (StringPackage->StringPkgHdr->LanguageWindow, mLanguageWindow, 16 * sizeof (CHAR16));
     StringPackage->StringPkgHdr->LanguageName     = 1;
-    AsciiStrCpy (StringPackage->StringPkgHdr->Language, (CHAR8 *) Language);
+    AsciiStrCpyS (StringPackage->StringPkgHdr->Language, sizeof(StringPackage->StringPkgHdr->Language) / sizeof (CHAR8), (CHAR8 *) Language);
 
     //
     // Calculate the length of the string blocks, including string block to record
@@ -1842,7 +1842,7 @@ HiiGetLanguages (
     }
     ResultSize += AsciiStrSize (StringPackage->StringPkgHdr->Language);
     if (ResultSize <= *LanguagesSize) {
-      AsciiStrCpy (Languages, StringPackage->StringPkgHdr->Language);
+      AsciiStrCpyS (Languages, *LanguagesSize / sizeof (CHAR8), StringPackage->StringPkgHdr->Language);
       Languages += AsciiStrSize (StringPackage->StringPkgHdr->Language);
       *(Languages - 1) = L';';
     }
@@ -1959,7 +1959,7 @@ HiiGetSecondaryLanguages (
 
       ResultSize = AsciiStrSize (Languages);
       if (ResultSize <= *SecondaryLanguagesSize) {
-        AsciiStrCpy (SecondaryLanguages, Languages);
+        AsciiStrCpyS (SecondaryLanguages, *SecondaryLanguagesSize / sizeof (CHAR8), Languages);
       } else {
         *SecondaryLanguagesSize = ResultSize;
         return EFI_BUFFER_TOO_SMALL;
@@ -2024,13 +2024,13 @@ HiiCompareLanguage (
   StrLen = AsciiStrSize (Language1);
   Lan1   = AllocateZeroPool (StrLen);
   ASSERT (Lan1 != NULL);
-  AsciiStrCpy(Lan1, Language1);
+  AsciiStrCpyS(Lan1, StrLen / sizeof (CHAR8), Language1);
   AsciiHiiToLower (Lan1);
 
   StrLen = AsciiStrSize (Language2);
   Lan2   = AllocateZeroPool (StrLen);
   ASSERT (Lan2 != NULL);
-  AsciiStrCpy(Lan2, Language2);
+  AsciiStrCpyS(Lan2, StrLen / sizeof (CHAR8), Language2);
   AsciiHiiToLower (Lan2);
 
   //
diff --git a/MdeModulePkg/Universal/SetupBrowserDxe/Expression.c b/MdeModulePkg/Universal/SetupBrowserDxe/Expression.c
index f1a65b2e89..688a1d66cb 100644
--- a/MdeModulePkg/Universal/SetupBrowserDxe/Expression.c
+++ b/MdeModulePkg/Universal/SetupBrowserDxe/Expression.c
@@ -1324,6 +1324,7 @@ IfrCatenate (
   UINT16         Length0;
   UINT16         Length1;
   UINT8          *TmpBuf;
+  UINTN          MaxLen;
 
   //
   // String[0] - The second string
@@ -1363,10 +1364,11 @@ IfrCatenate (
 
   if (Value[0].Type == EFI_IFR_TYPE_STRING) {
     Size = StrSize (String[0]);
-    StringPtr= AllocatePool (StrSize (String[1]) + Size);
+    MaxLen = (StrSize (String[1]) + Size) / sizeof (CHAR16);
+    StringPtr= AllocatePool (MaxLen * sizeof (CHAR16));
     ASSERT (StringPtr != NULL);
-    StrCpy (StringPtr, String[1]);
-    StrCat (StringPtr, String[0]);
+    StrCpyS (StringPtr, MaxLen, String[1]);
+    StrCatS (StringPtr, MaxLen, String[0]);
 
     Result->Type = EFI_IFR_TYPE_STRING;
     Result->Value.string = NewString (StringPtr, FormSet->HiiHandle);
diff --git a/MdeModulePkg/Universal/SetupBrowserDxe/IfrParse.c b/MdeModulePkg/Universal/SetupBrowserDxe/IfrParse.c
index 45405609c1..953e3a5071 100644
--- a/MdeModulePkg/Universal/SetupBrowserDxe/IfrParse.c
+++ b/MdeModulePkg/Universal/SetupBrowserDxe/IfrParse.c
@@ -688,6 +688,7 @@ InitializeRequestElement (
   LIST_ENTRY       *Link;
   BOOLEAN          Find;
   FORM_BROWSER_CONFIG_REQUEST  *ConfigInfo;
+  UINTN            MaxLen;
 
   Storage = Question->Storage;
   if (Storage == NULL) {
@@ -732,6 +733,8 @@ InitializeRequestElement (
   //
   FormsetStorage = GetFstStgFromVarId(FormSet, Question->VarStoreId);
   ASSERT (FormsetStorage != NULL);
+  StringSize = (FormsetStorage->ConfigRequest != NULL) ? StrSize (FormsetStorage->ConfigRequest) : sizeof (CHAR16);
+  MaxLen = StringSize / sizeof (CHAR16) + FormsetStorage->SpareStrLen;
 
   //
   // Append <RequestElement> to <ConfigRequest>
@@ -740,8 +743,8 @@ InitializeRequestElement (
     //
     // Old String buffer is not sufficient for RequestElement, allocate a new one
     //
-    StringSize = (FormsetStorage->ConfigRequest != NULL) ? StrSize (FormsetStorage->ConfigRequest) : sizeof (CHAR16);
-    NewStr = AllocateZeroPool (StringSize + CONFIG_REQUEST_STRING_INCREMENTAL * sizeof (CHAR16));
+    MaxLen = StringSize / sizeof (CHAR16) + CONFIG_REQUEST_STRING_INCREMENTAL;
+    NewStr = AllocateZeroPool (MaxLen * sizeof (CHAR16));
     ASSERT (NewStr != NULL);
     if (FormsetStorage->ConfigRequest != NULL) {
       CopyMem (NewStr, FormsetStorage->ConfigRequest, StringSize);
@@ -751,7 +754,7 @@ InitializeRequestElement (
     FormsetStorage->SpareStrLen   = CONFIG_REQUEST_STRING_INCREMENTAL;
   }
 
-  StrCat (FormsetStorage->ConfigRequest, RequestElement);
+  StrCatS (FormsetStorage->ConfigRequest, MaxLen, RequestElement);
   FormsetStorage->ElementCount++;
   FormsetStorage->SpareStrLen -= StrLen;
 
@@ -782,6 +785,8 @@ InitializeRequestElement (
     ConfigInfo->Storage       = FormsetStorage->BrowserStorage;
     InsertTailList(&Form->ConfigRequestHead, &ConfigInfo->Link);
   }
+  StringSize = (ConfigInfo->ConfigRequest != NULL) ? StrSize (ConfigInfo->ConfigRequest) : sizeof (CHAR16);
+  MaxLen = StringSize / sizeof (CHAR16) + ConfigInfo->SpareStrLen;
 
   //
   // Append <RequestElement> to <ConfigRequest>
@@ -790,8 +795,8 @@ InitializeRequestElement (
     //
     // Old String buffer is not sufficient for RequestElement, allocate a new one
     //
-    StringSize = (ConfigInfo->ConfigRequest != NULL) ? StrSize (ConfigInfo->ConfigRequest) : sizeof (CHAR16);
-    NewStr = AllocateZeroPool (StringSize + CONFIG_REQUEST_STRING_INCREMENTAL * sizeof (CHAR16));
+    MaxLen = StringSize / sizeof (CHAR16) + CONFIG_REQUEST_STRING_INCREMENTAL;
+    NewStr = AllocateZeroPool (MaxLen * sizeof (CHAR16));
     ASSERT (NewStr != NULL);
     if (ConfigInfo->ConfigRequest != NULL) {
       CopyMem (NewStr, ConfigInfo->ConfigRequest, StringSize);
@@ -801,7 +806,7 @@ InitializeRequestElement (
     ConfigInfo->SpareStrLen   = CONFIG_REQUEST_STRING_INCREMENTAL;
   }
 
-  StrCat (ConfigInfo->ConfigRequest, RequestElement);
+  StrCatS (ConfigInfo->ConfigRequest, MaxLen, RequestElement);
   ConfigInfo->ElementCount++;
   ConfigInfo->SpareStrLen -= StrLen;
   return EFI_SUCCESS;
diff --git a/MdeModulePkg/Universal/SetupBrowserDxe/Setup.c b/MdeModulePkg/Universal/SetupBrowserDxe/Setup.c
index b153dd4bfe..c209db8bc7 100644
--- a/MdeModulePkg/Universal/SetupBrowserDxe/Setup.c
+++ b/MdeModulePkg/Universal/SetupBrowserDxe/Setup.c
@@ -635,6 +635,7 @@ ProcessStorage (
   CHAR16                *StrPtr;
   UINTN                 BufferSize;
   UINTN                 TmpSize;
+  UINTN                 MaxLen;
   FORMSET_STORAGE       *BrowserStorage;
 
   if (RetrieveData) {
@@ -660,7 +661,7 @@ ProcessStorage (
     // Copy the data if the input buffer is bigger enough.
     //
     if (*ResultsDataSize >= BufferSize) {
-      StrCpy (*ResultsData, StrPtr);
+      StrCpyS (*ResultsData, *ResultsDataSize / sizeof (CHAR16), StrPtr);
     }
 
     *ResultsDataSize = BufferSize;
@@ -673,12 +674,13 @@ ProcessStorage (
     ASSERT (BrowserStorage != NULL);
     TmpSize = StrLen (*ResultsData);
     BufferSize = (TmpSize + StrLen (BrowserStorage->ConfigHdr) + 2) * sizeof (CHAR16);
+    MaxLen = BufferSize / sizeof (CHAR16);
     ConfigResp = AllocateZeroPool (BufferSize);
     ASSERT (ConfigResp != NULL);
 
-    StrCpy (ConfigResp, BrowserStorage->ConfigHdr);
-    StrCat (ConfigResp, L"&");
-    StrCat (ConfigResp, *ResultsData);
+    StrCpyS (ConfigResp, MaxLen, BrowserStorage->ConfigHdr);
+    StrCatS (ConfigResp, MaxLen, L"&");
+    StrCatS (ConfigResp, MaxLen, *ResultsData);
 
     //
     // Update Browser uncommited data
@@ -1079,19 +1081,19 @@ NewStringCat (
   )
 {
   CHAR16  *NewString;
-  UINTN   TmpSize;
+  UINTN   MaxLen;
 
   if (*Dest == NULL) {
     NewStringCpy (Dest, Src);
     return;
   }
 
-  TmpSize = StrSize (*Dest);
-  NewString = AllocateZeroPool (TmpSize + StrSize (Src) - 1);
+  MaxLen = ( StrSize (*Dest) + StrSize (Src) - 1) / sizeof (CHAR16);
+  NewString = AllocateZeroPool (MaxLen * sizeof (CHAR16));
   ASSERT (NewString != NULL);
 
-  StrCpy (NewString, *Dest);
-  StrCat (NewString, Src);
+  StrCpyS (NewString, MaxLen, *Dest);
+  StrCatS (NewString, MaxLen, Src);
 
   FreePool (*Dest);
   *Dest = NewString;
@@ -1441,7 +1443,7 @@ BufferToValue (
       DstBuf = (CHAR16 *) Dst;
       ZeroMem (TemStr, sizeof (TemStr));
       for (Index = 0; Index < LengthStr; Index += 4) {
-        StrnCpy (TemStr, Value + Index, 4);
+        StrnCpyS (TemStr, sizeof (TemStr) / sizeof (CHAR16), Value + Index, 4);
         DstBuf[Index/4] = (CHAR16) StrHexToUint64 (TemStr);
       }
       //
@@ -1505,6 +1507,7 @@ GetQuestionValue (
   CHAR16              *Value;
   UINTN               Length;
   BOOLEAN             IsBufferStorage;
+  UINTN               MaxLen;
 
   Status = EFI_SUCCESS;
   Value  = NULL;
@@ -1704,15 +1707,17 @@ GetQuestionValue (
       Length = StrLen (FormsetStorage->ConfigHdr);
       Length += StrLen (Question->VariableName) + 1;
     }
-    ConfigRequest = AllocateZeroPool ((Length + 1) * sizeof (CHAR16));
+    // Allocate buffer include '\0'
+    MaxLen = Length + 1;
+    ConfigRequest = AllocateZeroPool (MaxLen * sizeof (CHAR16));
     ASSERT (ConfigRequest != NULL);
 
-    StrCpy (ConfigRequest, FormsetStorage->ConfigHdr);
+    StrCpyS (ConfigRequest, MaxLen, FormsetStorage->ConfigHdr);
     if (IsBufferStorage) {
-      StrCat (ConfigRequest, Question->BlockName);
+      StrCatS (ConfigRequest, MaxLen, Question->BlockName);
     } else {
-      StrCat (ConfigRequest, L"&");
-      StrCat (ConfigRequest, Question->VariableName);
+      StrCatS (ConfigRequest, MaxLen, L"&");
+      StrCatS (ConfigRequest, MaxLen, Question->VariableName);
     }
 
     //
@@ -1818,6 +1823,7 @@ SetQuestionValue (
   CHAR16              *TemString;
   UINTN               Index;
   NAME_VALUE_NODE     *Node;
+  UINTN               MaxLen;
 
   Status = EFI_SUCCESS;
   Node   = NULL;
@@ -2002,17 +2008,18 @@ SetQuestionValue (
     }
     FormsetStorage = GetFstStgFromVarId(FormSet, Question->VarStoreId);
     ASSERT (FormsetStorage != NULL);
-    ConfigResp = AllocateZeroPool ((StrLen (FormsetStorage->ConfigHdr) + Length + 1) * sizeof (CHAR16));
+    MaxLen = StrLen (FormsetStorage->ConfigHdr) + Length + 1;
+    ConfigResp = AllocateZeroPool (MaxLen * sizeof (CHAR16));
     ASSERT (ConfigResp != NULL);
 
-    StrCpy (ConfigResp, FormsetStorage->ConfigHdr);
+    StrCpyS (ConfigResp, MaxLen, FormsetStorage->ConfigHdr);
     if (IsBufferStorage) {
-      StrCat (ConfigResp, Question->BlockName);
-      StrCat (ConfigResp, L"&VALUE=");
+      StrCatS (ConfigResp, MaxLen, Question->BlockName);
+      StrCatS (ConfigResp, MaxLen, L"&VALUE=");
     } else {
-      StrCat (ConfigResp, L"&");
-      StrCat (ConfigResp, Question->VariableName);
-      StrCat (ConfigResp, L"=");
+      StrCatS (ConfigResp, MaxLen, L"&");
+      StrCatS (ConfigResp, MaxLen, Question->VariableName);
+      StrCatS (ConfigResp, MaxLen, L"=");
     }
 
     Value = ConfigResp + StrLen (ConfigResp);
@@ -4887,8 +4894,11 @@ AppendConfigRequest (
   CHAR16   *NewStr;
   UINTN    StringSize;
   UINTN    StrLength;
+  UINTN    MaxLen;
 
   StrLength = StrLen (RequestElement);
+  StringSize = (*ConfigRequest != NULL) ? StrSize (*ConfigRequest) : sizeof (CHAR16);
+  MaxLen = StringSize / sizeof (CHAR16) + *SpareStrLen;
 
   //
   // Append <RequestElement> to <ConfigRequest>
@@ -4897,8 +4907,8 @@ AppendConfigRequest (
     //
     // Old String buffer is not sufficient for RequestElement, allocate a new one
     //
-    StringSize = (*ConfigRequest != NULL) ? StrSize (*ConfigRequest) : sizeof (CHAR16);
-    NewStr = AllocateZeroPool (StringSize + CONFIG_REQUEST_STRING_INCREMENTAL * sizeof (CHAR16));
+    MaxLen = StringSize / sizeof (CHAR16) + CONFIG_REQUEST_STRING_INCREMENTAL;
+    NewStr = AllocateZeroPool (MaxLen * sizeof (CHAR16));
     ASSERT (NewStr != NULL);
 
     if (*ConfigRequest != NULL) {
@@ -4909,7 +4919,7 @@ AppendConfigRequest (
     *SpareStrLen   = CONFIG_REQUEST_STRING_INCREMENTAL;
   }
 
-  StrCat (*ConfigRequest, RequestElement);
+  StrCatS (*ConfigRequest, MaxLen, RequestElement);
   *SpareStrLen -= StrLength;
 }
 
-- 
2.39.2