From 04722cfa309104d815257a2705db5ee7024dc9bf Mon Sep 17 00:00:00 2001 From: "Bi, Dandan" Date: Tue, 28 Aug 2018 10:05:48 +0800 Subject: [PATCH] MdeModulePkg/Setup: Fix incorrect size used in AllocateCopyPool REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1115 When the type of HiiValue is EFI_IFR_TYPE_BUFFER, its question type is EFI_IFR_ORDERED_LIST_OP. And the buffer size allocated for Statement->BufferValue of orderedList is "Statement->StorageWidth" in IfrParse.c. So here when backup the buffer value and copy the size of "Statement->StorageWidth + sizeof(CHAR16)" is incorrect. This patch is to fix this issue. Cc: Eric Dong Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Dandan Bi Reviewed-by: Eric Dong --- MdeModulePkg/Universal/SetupBrowserDxe/Presentation.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/MdeModulePkg/Universal/SetupBrowserDxe/Presentation.c b/MdeModulePkg/Universal/SetupBrowserDxe/Presentation.c index ded1c7ad11..58daaab404 100644 --- a/MdeModulePkg/Universal/SetupBrowserDxe/Presentation.c +++ b/MdeModulePkg/Universal/SetupBrowserDxe/Presentation.c @@ -2004,7 +2004,7 @@ ProcessCallBackFunction ( // if (Action == EFI_BROWSER_ACTION_CHANGING) { if (HiiValue->Type == EFI_IFR_TYPE_BUFFER) { - BackUpBuffer = AllocateCopyPool(Statement->StorageWidth + sizeof(CHAR16), Statement->BufferValue); + BackUpBuffer = AllocateCopyPool(Statement->StorageWidth, Statement->BufferValue); ASSERT (BackUpBuffer != NULL); } else { CopyMem (&BackUpValue, &HiiValue->Value, sizeof (EFI_IFR_TYPE_VALUE)); @@ -2130,7 +2130,7 @@ ProcessCallBackFunction ( // if (Action == EFI_BROWSER_ACTION_CHANGING && Status == EFI_UNSUPPORTED) { if (HiiValue->Type == EFI_IFR_TYPE_BUFFER) { - CopyMem (Statement->BufferValue, BackUpBuffer, Statement->StorageWidth + sizeof(CHAR16)); + CopyMem (Statement->BufferValue, BackUpBuffer, Statement->StorageWidth); } else { CopyMem (&HiiValue->Value, &BackUpValue, sizeof (EFI_IFR_TYPE_VALUE)); } -- 2.39.2